(unknown),

(unknown),

[Jan Engelhardt]

Hi Patrick,

Please pull from
	git://dev.medozas.de/iptables master

which contains a pack of patches to build iptables without libdl,
obsoleting iptables-static (leaving -multi) and using the -multi
program exclusively.

Jan Engelhardt (5):
      build: order of dependent libs is sensitive
      multi binary: allow subcommand via argv[1]
      build: fix struct size mismatch
      build: combine iptables-multi and iptables-static
      build: build only iptables-multi

 INSTALL                   |   41 ++++++++++++++++------
 Makefile.am               |   84 ++++++++++++++-------------------------------
 extensions/GNUmakefile.in |    4 +-
 include/xtables.h.in      |    6 +---
 ip6tables-multi.c         |   53 +++++++++++++++++-----------
 ip6tables-restore.c       |    2 +-
 ip6tables-save.c          |    2 +-
 ip6tables-standalone.c    |    2 +-
 iptables-multi.c          |   60 ++++++++++++++++++++------------
 iptables-restore.c        |    2 +-
 iptables-save.c           |    2 +-
 iptables-standalone.c     |    2 +-
 12 files changed, 135 insertions(+), 125 deletions(-)

[PATCH 1/5] build: order of dependent libs is sensitive

[Jan Engelhardt]

libiptc.la must come after its components or `make install` won't get
things right.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index a9e3ad3..23cdedd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -14,7 +14,7 @@ endif
 lib_LTLIBRARIES =
 
 # libiptc
-lib_LTLIBRARIES           += libiptc/libiptc.la libiptc/libip4tc.la libiptc/libip6tc.la
+lib_LTLIBRARIES           += libiptc/libip4tc.la libiptc/libip6tc.la libiptc/libiptc.la
 libiptc_libiptc_la_SOURCES  =
 libiptc_libiptc_la_LIBADD   = libiptc/libip4tc.la libiptc/libip6tc.la
 libiptc_libiptc_la_LDFLAGS  = -version-info 0:0:0
-- 
1.6.3.3

[PATCH 2/5] multi binary: allow subcommand via argv[1]

[Jan Engelhardt]

libtool does not play well with symlinks when trying to run commands
in the build directory. So provide an alternate way to call
iptables-multi: when argv[0] is not a recognized name, inspect [1]
for an alternate identifer.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables-multi.c |   53 +++++++++++++++++++++++++++++-----------------
 iptables-multi.c  |   60 ++++++++++++++++++++++++++++++++--------------------
 2 files changed, 70 insertions(+), 43 deletions(-)

diff --git a/ip6tables-multi.c b/ip6tables-multi.c
index 3313bfd..671558c 100644
--- a/ip6tables-multi.c
+++ b/ip6tables-multi.c
@@ -7,26 +7,39 @@ int ip6tables_main(int argc, char **argv);
 int ip6tables_save_main(int argc, char **argv);
 int ip6tables_restore_main(int argc, char **argv);
 
-int main(int argc, char **argv) {
-  char *progname;
+int main(int argc, char **argv)
+{
+	char *progname;
 
-  if (argc == 0) {
-    fprintf(stderr, "no argv[0]?");
-    exit(1);
-  } else {
-    progname = basename(argv[0]);
+	if (argc < 1) {
+		fprintf(stderr, "ERROR: This should not happen.\n");
+		exit(EXIT_FAILURE);
+	}
 
-    if (!strcmp(progname, "ip6tables") ||
-        strcmp(progname, "ip6tables-static") == 0)
-      return ip6tables_main(argc, argv);
-    
-    if (!strcmp(progname, "ip6tables-save"))
-      return ip6tables_save_main(argc, argv);
-    
-    if (!strcmp(progname, "ip6tables-restore"))
-      return ip6tables_restore_main(argc, argv);
-    
-    fprintf(stderr, "ip6tables multi-purpose version: unknown applet name %s\n", progname);
-    exit(1);
-  }
+	progname = basename(argv[0]);
+	if (strcmp(progname, "ip6tables") == 0)
+		return ip6tables_main(argc, argv);
+	if (strcmp(progname, "ip6tables-save") == 0)
+		return ip6tables_save_main(argc, argv);
+	if (strcmp(progname, "ip6tables-restore") == 0)
+		return ip6tables_restore_main(argc, argv);
+
+	++argv;
+	--argc;
+	if (argc < 1) {
+		fprintf(stderr, "ERROR: No subcommand given.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	progname = basename(argv[0]);
+	if (strcmp(progname, "main") == 0)
+		return ip6tables_main(argc, argv);
+	if (strcmp(progname, "save") == 0)
+		return ip6tables_save_main(argc, argv);
+	if (strcmp(progname, "restore") == 0)
+		return ip6tables_restore_main(argc, argv);
+
+	fprintf(stderr, "ip6tables multi-purpose version: "
+	        "unknown subcommand \"%s\"\n", progname);
+	exit(EXIT_FAILURE);
 }
diff --git a/iptables-multi.c b/iptables-multi.c
index 28c1737..4dcc26d 100644
--- a/iptables-multi.c
+++ b/iptables-multi.c
@@ -8,29 +8,43 @@ int iptables_save_main(int argc, char **argv);
 int iptables_restore_main(int argc, char **argv);
 int iptables_xml_main(int argc, char **argv);
 
-int main(int argc, char **argv) {
-  char *progname;
+int main(int argc, char **argv)
+{
+	char *progname;
 
-  if (argc == 0) {
-    fprintf(stderr, "no argv[0]?");
-    exit(1);
-  } else {
-    progname = basename(argv[0]);
+	if (argc < 1) {
+		fprintf(stderr, "ERROR: This should not happen.\n");
+		exit(EXIT_FAILURE);
+	}
 
-    if (!strcmp(progname, "iptables") ||
-        strcmp(progname, "iptables-static") == 0)
-      return iptables_main(argc, argv);
-    
-    if (!strcmp(progname, "iptables-save"))
-      return iptables_save_main(argc, argv);
-    
-    if (!strcmp(progname, "iptables-restore"))
-      return iptables_restore_main(argc, argv);
-    
-    if (!strcmp(progname, "iptables-xml"))
-      return iptables_xml_main(argc, argv);
-    
-    fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname);
-    exit(1);
-  }
+	progname = basename(argv[0]);
+	if (strcmp(progname, "iptables") == 0)
+		return iptables_main(argc, argv);
+	if (strcmp(progname, "iptables-save") == 0)
+		return iptables_save_main(argc, argv);
+	if (strcmp(progname, "iptables-restore") == 0)
+		return iptables_restore_main(argc, argv);
+	if (strcmp(progname, "iptables-xml") == 0)
+		return iptables_xml_main(argc, argv);
+
+	++argv;
+	--argc;
+	if (argc < 1) {
+		fprintf(stderr, "ERROR: No subcommand given.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	progname = basename(argv[0]);
+	if (strcmp(progname, "main") == 0)
+		return iptables_main(argc, argv);
+	if (strcmp(progname, "save") == 0)
+		return iptables_save_main(argc, argv);
+	if (strcmp(progname, "restore") == 0)
+		return iptables_restore_main(argc, argv);
+	if (strcmp(progname, "xml") == 0)
+		return iptables_xml_main(argc, argv);
+
+	fprintf(stderr, "iptables multi-purpose version: "
+	        "unknown subcommand \"%s\"\n", progname);
+	exit(EXIT_FAILURE);
 }
-- 
1.6.3.3

[PATCH 3/5] build: fix struct size mismatch

[Jan Engelhardt]

Mixing code compiled with and without -DNO_SHARED_LIBS is fine as
long as the structs have the same layout. This patch prevents a
potential (currently non-triggerable) "ip6tables: target (null)<123>
is missing a version" error.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 include/xtables.h.in |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 222e2a9..7468302 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -90,9 +90,7 @@ struct xtables_match
 	unsigned int option_offset;
 	struct xt_entry_match *m;
 	unsigned int mflags;
-#ifdef NO_SHARED_LIBS
 	unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
 };
 
 struct xtables_target
@@ -152,9 +150,7 @@ struct xtables_target
 	struct xt_entry_target *t;
 	unsigned int tflags;
 	unsigned int used;
-#ifdef NO_SHARED_LIBS
 	unsigned int loaded; /* simulate loading so options are merged properly */
-#endif
 };
 
 struct xtables_rule_match {
-- 
1.6.3.3

[PATCH 4/5] build: combine iptables-multi and iptables-static

[Jan Engelhardt]

Changed the Makefile so that:

1. --enable-shared / --disable-shared control the linkage against
   libdl (and thus the potential to use 3rd party extensions)

2. --enable-static / --disable-static controls whether shipped
   extensions are built-in or provided as modules

iptables-static becomes redundant by this action; iptables-multi now
has the feature.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 INSTALL                   |   41 ++++++++++++++++++++++++++++++-----------
 Makefile.am               |   32 ++++++++++++--------------------
 extensions/GNUmakefile.in |    4 ++--
 include/xtables.h.in      |    2 +-
 ip6tables-restore.c       |    2 +-
 ip6tables-save.c          |    2 +-
 ip6tables-standalone.c    |    2 +-
 iptables-restore.c        |    2 +-
 iptables-save.c           |    2 +-
 iptables-standalone.c     |    2 +-
 10 files changed, 51 insertions(+), 40 deletions(-)

diff --git a/INSTALL b/INSTALL
index 4a44989..acb56cd 100644
--- a/INSTALL
+++ b/INSTALL
@@ -41,18 +41,22 @@ Configuring and compiling
 
 	It is enabled by default.
 
+--enable-static
+
+	Produce additional binaries, iptables-static/ip6tables-static,
+	which have all shipped extensions compiled in.
+
+--disable-shared
+
+	Produce binaries that have dynamic loading of extensions disabled.
+	This implies --enable-static.
+	(See some details below.)
+
 --enable-libipq
 
 	This option causes libipq to be installed into ${libdir} and
 	${includedir}.
 
---enable-static
-
-	Enable building single standalone multipurpose binaries,
-	(iptables-static and ip6tables-static), which contain every
-	extension compiled-in (and does not support additional
-	extensions).
-
 --with-ksource=
 
 	Xtables does not depend on kernel headers anymore, but you can
@@ -74,7 +78,22 @@ The make process will automatically build multipurpose binaries.
 These have the core (iptables), -save, -restore and -xml code
 compiled into one binary, but extensions remain as modules.
 
-If you want to build a statically linked version of the iptables binary,
-without the need for loading the plugins at runtime (e.g. for an
-embedded device or router-on-a-disk), you can use the --enable-static
-configure flag.
+
+Static and shared
+=================
+
+Basically there are three configuration modes defined:
+
+ --disable-static --enable-shared (this is the default)
+
+	Build a binary that relies upon dynamic loading of extensions.
+
+ --enable-static --enable-shared
+
+	Build a binary that has the shipped extensions built-in, but
+	is still capable of loading additional extensions.
+
+ --enable-static --disable-shared
+
+	Shipped extensions are built-in, and dynamic loading is
+	deactivated.
diff --git a/Makefile.am b/Makefile.am
index 23cdedd..fc779e9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -26,7 +26,13 @@ libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0
 lib_LTLIBRARIES      += libxtables.la
 libxtables_la_SOURCES = xtables.c
 libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
+if ENABLE_SHARED
+libxtables_la_CFLAGS  = ${AM_CFLAGS}
 libxtables_la_LIBADD  = -ldl
+else
+libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
+libxtables_la_LIBADD  =
+endif
 
 # iptables, dynamic
 iptables_SOURCES          = iptables-standalone.c iptables.c xshared.c
@@ -38,6 +44,9 @@ iptables_multi_SOURCES    = iptables-multi.c iptables-save.c \
                             iptables-restore.c iptables-xml.c \
                             iptables-standalone.c iptables.c xshared.c
 iptables_multi_CFLAGS     = ${AM_CFLAGS} -DIPTABLES_MULTI
+if ENABLE_STATIC
+iptables_multi_CFLAGS    += -DALL_INCLUSIVE
+endif
 iptables_multi_LDFLAGS    = ${iptables_LDFLAGS}
 iptables_multi_LDADD      = ${iptables_LDADD}
 
@@ -49,11 +58,6 @@ iptables_save_SOURCES     = iptables-save.c iptables.c xshared.c
 iptables_save_LDFLAGS     = ${iptables_LDFLAGS}
 iptables_save_LDADD       = ${iptables_LDADD}
 
-# iptables-multi, semi-static
-iptables_static_SOURCES   = ${iptables_multi_SOURCES} xtables.c
-iptables_static_CFLAGS    = ${iptables_multi_CFLAGS} -DNO_SHARED_LIBS=1
-iptables_static_LDADD     = libiptc/libip4tc.la extensions/libext4.a -lm
-
 iptables_xml_SOURCES      = iptables-xml.c
 
 # ip6tables, dynamic
@@ -65,6 +69,9 @@ ip6tables_multi_SOURCES   = ip6tables-multi.c ip6tables-save.c \
                             ip6tables-restore.c ip6tables-standalone.c \
                             ip6tables.c xshared.c
 ip6tables_multi_CFLAGS    = ${AM_CFLAGS} -DIPTABLES_MULTI
+if ENABLE_STATIC
+ip6tables_multi_CFLAGS   += -DALL_INCLUSIVE
+endif
 ip6tables_multi_LDFLAGS   = ${ip6tables_LDFLAGS}
 ip6tables_multi_LDADD     = ${ip6tables_LDADD}
 
@@ -76,11 +83,6 @@ ip6tables_save_SOURCES    = ip6tables-save.c ip6tables.c xshared.c
 ip6tables_save_LDFLAGS    = ${ip6tables_LDFLAGS}
 ip6tables_save_LDADD      = ${ip6tables_LDADD}
 
-# iptables-multi, semi-static
-ip6tables_static_SOURCES    = ${ip6tables_multi_SOURCES} xtables.c
-ip6tables_static_CFLAGS     = ${ip6tables_multi_CFLAGS} -DNO_SHARED_LIBS=1
-ip6tables_static_LDADD      = libiptc/libip6tc.la extensions/libext6.a -lm
-
 bin_PROGRAMS     = iptables-xml
 sbin_PROGRAMS    =
 noinst_PROGRAMS  =
@@ -89,22 +91,12 @@ man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                    ip6tables-save.8
 CLEANFILES       = iptables.8 ip6tables.8
 
-if ENABLE_STATIC
-if ENABLE_IPV4
-sbin_PROGRAMS += iptables-static
-endif
-if ENABLE_IPV6
-sbin_PROGRAMS += ip6tables-static
-endif
-endif
-if ENABLE_SHARED
 if ENABLE_IPV4
 sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save
 endif
 if ENABLE_IPV6
 sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save
 endif
-endif
 
 iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man
 	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
diff --git a/extensions/GNUmakefile.in b/extensions/GNUmakefile.in
index e1f1f49..709366a 100644
--- a/extensions/GNUmakefile.in
+++ b/extensions/GNUmakefile.in
@@ -56,8 +56,8 @@ targets := libext4.a libext6.a matches4.man matches6.man \
 targets_install :=
 @ENABLE_STATIC_TRUE@ libext4_objs := ${pfx_objs} ${pf4_objs}
 @ENABLE_STATIC_TRUE@ libext6_objs := ${pfx_objs} ${pf6_objs}
-@ENABLE_SHARED_TRUE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
-@ENABLE_SHARED_TRUE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
+@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pf4_solibs} ${pf6_solibs}
 
 .SECONDARY:
 
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 7468302..3955716 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -277,7 +277,7 @@ extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
  */
 extern void xtables_save_string(const char *value);
 
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 #	ifdef _INIT
 #		undef _init
 #		define _init _INIT
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 06a82ae..d0efbee 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -137,7 +137,7 @@ int main(int argc, char *argv[])
 				ip6tables_globals.program_version);
 		exit(1);
 	}
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
diff --git a/ip6tables-save.c b/ip6tables-save.c
index c59608f..dc189e9 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -148,7 +148,7 @@ int main(int argc, char *argv[])
 				ip6tables_globals.program_version);
 		exit(1);
 	}
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index 649ac3d..8661bd9 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -58,7 +58,7 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
diff --git a/iptables-restore.c b/iptables-restore.c
index 5108fda..86d63e2 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -140,7 +140,7 @@ main(int argc, char *argv[])
 				iptables_globals.program_version);
 		exit(1);
 	}
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
diff --git a/iptables-save.c b/iptables-save.c
index f63ee6b..3bcf422 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -148,7 +148,7 @@ main(int argc, char *argv[])
 				iptables_globals.program_version);
 		exit(1);
 	}
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 9185388..1f60e31 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -58,7 +58,7 @@ main(int argc, char *argv[])
 				iptables_globals.program_version);
 				exit(1);
 	}
-#ifdef NO_SHARED_LIBS
+#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS)
 	init_extensions();
 #endif
 
-- 
1.6.3.3

[PATCH 5/5] build: build only iptables-multi

[Jan Engelhardt]

I see no pressing reason to install all single programs when the
multi binary can do the job. Within the build directory, developers
can run the components by means of, for example,

	./ip6tables-multi {main|restore|save} ...

And when make install-ed, symlinks are available.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am |   50 +++++++++++++-------------------------------------
 1 files changed, 13 insertions(+), 37 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index fc779e9..6bf40af 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,12 +34,6 @@ libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
 libxtables_la_LIBADD  =
 endif
 
-# iptables, dynamic
-iptables_SOURCES          = iptables-standalone.c iptables.c xshared.c
-iptables_LDFLAGS          = -rdynamic
-iptables_LDADD            = libiptc/libip4tc.la extensions/libext4.a libxtables.la -lm
-
-iptables_xml_LDADD        = libxtables.la
 iptables_multi_SOURCES    = iptables-multi.c iptables-save.c \
                             iptables-restore.c iptables-xml.c \
                             iptables-standalone.c iptables.c xshared.c
@@ -47,23 +41,8 @@ iptables_multi_CFLAGS     = ${AM_CFLAGS} -DIPTABLES_MULTI
 if ENABLE_STATIC
 iptables_multi_CFLAGS    += -DALL_INCLUSIVE
 endif
-iptables_multi_LDFLAGS    = ${iptables_LDFLAGS}
-iptables_multi_LDADD      = ${iptables_LDADD}
-
-iptables_restore_SOURCES  = iptables-restore.c iptables.c xshared.c
-iptables_restore_LDFLAGS  = ${iptables_LDFLAGS}
-iptables_restore_LDADD    = ${iptables_LDADD}
-
-iptables_save_SOURCES     = iptables-save.c iptables.c xshared.c
-iptables_save_LDFLAGS     = ${iptables_LDFLAGS}
-iptables_save_LDADD       = ${iptables_LDADD}
-
-iptables_xml_SOURCES      = iptables-xml.c
-
-# ip6tables, dynamic
-ip6tables_SOURCES         = ip6tables-standalone.c ip6tables.c xshared.c
-ip6tables_LDFLAGS         = -rdynamic
-ip6tables_LDADD           = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm
+iptables_multi_LDFLAGS    = -rdynamic
+iptables_multi_LDADD      = libiptc/libip4tc.la extensions/libext4.a libxtables.la -lm
 
 ip6tables_multi_SOURCES   = ip6tables-multi.c ip6tables-save.c \
                             ip6tables-restore.c ip6tables-standalone.c \
@@ -72,30 +51,23 @@ ip6tables_multi_CFLAGS    = ${AM_CFLAGS} -DIPTABLES_MULTI
 if ENABLE_STATIC
 ip6tables_multi_CFLAGS   += -DALL_INCLUSIVE
 endif
-ip6tables_multi_LDFLAGS   = ${ip6tables_LDFLAGS}
-ip6tables_multi_LDADD     = ${ip6tables_LDADD}
-
-ip6tables_restore_SOURCES = ip6tables-restore.c ip6tables.c xshared.c
-ip6tables_restore_LDFLAGS = ${ip6tables_LDFLAGS}
-ip6tables_restore_LDADD   = ${ip6tables_LDADD}
-
-ip6tables_save_SOURCES    = ip6tables-save.c ip6tables.c xshared.c
-ip6tables_save_LDFLAGS    = ${ip6tables_LDFLAGS}
-ip6tables_save_LDADD      = ${ip6tables_LDADD}
+ip6tables_multi_LDFLAGS   = -rdynamic
+ip6tables_multi_LDADD     = libiptc/libip6tc.la extensions/libext6.a libxtables.la -lm
 
-bin_PROGRAMS     = iptables-xml
 sbin_PROGRAMS    =
-noinst_PROGRAMS  =
 man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                    iptables-xml.8 ip6tables.8 ip6tables-restore.8 \
                    ip6tables-save.8
 CLEANFILES       = iptables.8 ip6tables.8
 
 if ENABLE_IPV4
-sbin_PROGRAMS += iptables iptables-multi iptables-restore iptables-save
+sbin_PROGRAMS += iptables-multi
+v4_bin_links   = iptables-xml
+v4_sbin_links  = iptables iptables-restore iptables-save
 endif
 if ENABLE_IPV6
-sbin_PROGRAMS += ip6tables ip6tables-multi ip6tables-restore ip6tables-save
+sbin_PROGRAMS += ip6tables-multi
+v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
 endif
 
 iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man
@@ -120,3 +92,7 @@ config.status: extensions/GNUmakefile.in \
 # Using if..fi avoids an ugly "error (ignored)" message :)
 install-exec-hook:
 	-if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
+	${INSTALL} -dm0755 "${DESTDIR}${bindir}";
+	for i in ${v4_bin_links}; do ${LN_S} -f "${sbindir}/iptables-multi" "${DESTDIR}${bindir}/$$i"; done;
+	for i in ${v4_sbin_links}; do ${LN_S} -f iptables-multi "${DESTDIR}${sbindir}/$$i"; done;
+	for i in ${v6_sbin_links}; do ${LN_S} -f ip6tables-multi "${DESTDIR}${sbindir}/$$i"; done;
-- 
1.6.3.3

Re:

[Patrick McHardy]

Jan Engelhardt wrote:
> Hi Patrick,
> 
> Please pull from
> 	git://dev.medozas.de/iptables master
> 
> which contains a pack of patches to build iptables without libdl,
> obsoleting iptables-static (leaving -multi) and using the -multi
> program exclusively.

Pulled and pushed out again, thanks.

Re: [PATCH] net/netfilter/ipvs: Fix data-race in ip_vs_add_service / ip_vs_out_hook

[Julian Anastasov]

	Hello,

On Tue, 26 Aug 2025, Zhang Tengfei wrote:

> A data-race was detected by KCSAN between ip_vs_add_service() which
> acts as a writer, and ip_vs_out_hook() which acts as a reader. This
> can lead to unpredictable behavior and crashes. One observed symptom
> is the "no destination available" error when processing packets.
> 
> The race occurs on the `enable` flag within the `netns_ipvs`
> struct. This flag was being written in the configuration path without
> any protection, while concurrently being read in the packet processing
> path. This lack of synchronization means a reader on one CPU could see a
> partially initialized service, leading to incorrect behavior.
> 
> To fix this, convert the `enable` flag from a plain integer to an
> atomic_t. This ensures that all reads and writes to the flag are atomic.
> More importantly, using atomic_set() and atomic_read() provides the
> necessary memory barriers to guarantee that changes to other fields of
> the service are visible to the reader CPU before the service is marked
> as enabled.
> 
> Reported-by: syzbot+1651b5234028c294c339@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1651b5234028c294c339
> Signed-off-by: Zhang Tengfei <zhtfdev@gmail.com>
> ---
>  include/net/ip_vs.h             |  2 +-
>  net/netfilter/ipvs/ip_vs_conn.c |  4 ++--
>  net/netfilter/ipvs/ip_vs_core.c | 10 +++++-----
>  net/netfilter/ipvs/ip_vs_ctl.c  |  6 +++---
>  net/netfilter/ipvs/ip_vs_est.c  | 16 ++++++++--------
>  5 files changed, 19 insertions(+), 19 deletions(-)
> 

> diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
> index 15049b826732..c5aa2660de92 100644
> --- a/net/netfilter/ipvs/ip_vs_est.c
> +++ b/net/netfilter/ipvs/ip_vs_est.c
...
> @@ -757,7 +757,7 @@ static void ip_vs_est_calc_phase(struct netns_ipvs *ipvs)
>  	mutex_lock(&ipvs->est_mutex);
>  	for (id = 1; id < ipvs->est_kt_count; id++) {
>  		/* netns clean up started, abort */
> -		if (!ipvs->enable)
> +		if (!atomic_read(&ipvs->enable))
>  			goto unlock2;

	It is a simple flag but as it is checked in loops
in a few places in ip_vs_est.c, lets use READ_ONCE/WRITE_ONCE as
suggested by Florian and Eric. The 3 checks in hooks in ip_vs_core.c
can be simply removed: in ip_vs_out_hook, ip_vs_in_hook and
ip_vs_forward_icmp. We can see enable=0 in rare cases which is
not fatal. It is a flying packet in two possible cases:

1. after hooks are registered but before the flag is set
2. after the hooks are unregistered on cleanup_net

Regards

--
Julian Anastasov <ja@ssi.bg>

(no subject)

[Zhang Tengfei]

Hi everyone,

Here is the v2 patch that incorporates the feedback.

Many thanks to Julian for his thorough review and for providing 
the detailed plan for this new version, and thanks to Florian 
and Eric for suggestions.

Subject: [PATCH v2] net/netfilter/ipvs: Use READ_ONCE/WRITE_ONCE for
 ipvs->enable

KCSAN reported a data-race on the `ipvs->enable` flag, which is
written in the control path and read concurrently from many other
contexts.

Following a suggestion by Julian, this patch fixes the race by
converting all accesses to use `WRITE_ONCE()/READ_ONCE()`.
This lightweight approach ensures atomic access and acts as a
compiler barrier, preventing unsafe optimizations where the flag
is checked in loops (e.g., in ip_vs_est.c).

Additionally, the now-obsolete `enable` checks in the fast path
hooks (`ip_vs_in_hook`, `ip_vs_out_hook`, `ip_vs_forward_icmp`)
are removed. These are unnecessary since commit 857ca89711de
("ipvs: register hooks only with services").

Reported-by: syzbot+1651b5234028c294c339@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1651b5234028c294c339
Suggested-by: Julian Anastasov <ja@ssi.bg>
Link: https://lore.kernel.org/lvs-devel/2189fc62-e51e-78c9-d1de-d35b8e3657e3@ssi.bg/
Signed-off-by: Zhang Tengfei <zhtfdev@gmail.com>

---
v2:
- Switched from atomic_t to the suggested READ_ONCE()/WRITE_ONCE().
- Removed obsolete checks from the packet processing hooks.
- Polished commit message based on feedback.
---
 net/netfilter/ipvs/ip_vs_conn.c |  4 ++--
 net/netfilter/ipvs/ip_vs_core.c | 11 ++++-------
 net/netfilter/ipvs/ip_vs_ctl.c  |  6 +++---
 net/netfilter/ipvs/ip_vs_est.c  | 16 ++++++++--------
 4 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 965f3c8e5..37ebb0cb6 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -885,7 +885,7 @@ static void ip_vs_conn_expire(struct timer_list *t)
 			 * conntrack cleanup for the net.
 			 */
 			smp_rmb();
-			if (ipvs->enable)
+			if (READ_ONCE(ipvs->enable))
 				ip_vs_conn_drop_conntrack(cp);
 		}
 
@@ -1439,7 +1439,7 @@ void ip_vs_expire_nodest_conn_flush(struct netns_ipvs *ipvs)
 		cond_resched_rcu();
 
 		/* netns clean up started, abort delayed work */
-		if (!ipvs->enable)
+		if (!READ_ONCE(ipvs->enable))
 			break;
 	}
 	rcu_read_unlock();
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index c7a8a08b7..5ea7ab8bf 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1353,9 +1353,6 @@ ip_vs_out_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *stat
 	if (unlikely(!skb_dst(skb)))
 		return NF_ACCEPT;
 
-	if (!ipvs->enable)
-		return NF_ACCEPT;
-
 	ip_vs_fill_iph_skb(af, skb, false, &iph);
 #ifdef CONFIG_IP_VS_IPV6
 	if (af == AF_INET6) {
@@ -1940,7 +1937,7 @@ ip_vs_in_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *state
 		return NF_ACCEPT;
 	}
 	/* ipvs enabled in this netns ? */
-	if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
+	if (unlikely(sysctl_backup_only(ipvs)))
 		return NF_ACCEPT;
 
 	ip_vs_fill_iph_skb(af, skb, false, &iph);
@@ -2108,7 +2105,7 @@ ip_vs_forward_icmp(void *priv, struct sk_buff *skb,
 	int r;
 
 	/* ipvs enabled in this netns ? */
-	if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
+	if (unlikely(sysctl_backup_only(ipvs)))
 		return NF_ACCEPT;
 
 	if (state->pf == NFPROTO_IPV4) {
@@ -2295,7 +2292,7 @@ static int __net_init __ip_vs_init(struct net *net)
 		return -ENOMEM;
 
 	/* Hold the beast until a service is registered */
-	ipvs->enable = 0;
+	WRITE_ONCE(ipvs->enable, 0);
 	ipvs->net = net;
 	/* Counters used for creating unique names */
 	ipvs->gen = atomic_read(&ipvs_netns_cnt);
@@ -2367,7 +2364,7 @@ static void __net_exit __ip_vs_dev_cleanup_batch(struct list_head *net_list)
 		ipvs = net_ipvs(net);
 		ip_vs_unregister_hooks(ipvs, AF_INET);
 		ip_vs_unregister_hooks(ipvs, AF_INET6);
-		ipvs->enable = 0;	/* Disable packet reception */
+		WRITE_ONCE(ipvs->enable, 0);	/* Disable packet reception */
 		smp_wmb();
 		ip_vs_sync_net_cleanup(ipvs);
 	}
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6a6fc4478..4c8fa22be 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -256,7 +256,7 @@ static void est_reload_work_handler(struct work_struct *work)
 		struct ip_vs_est_kt_data *kd = ipvs->est_kt_arr[id];
 
 		/* netns clean up started, abort delayed work */
-		if (!ipvs->enable)
+		if (!READ_ONCE(ipvs->enable))
 			goto unlock;
 		if (!kd)
 			continue;
@@ -1483,9 +1483,9 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
 
 	*svc_p = svc;
 
-	if (!ipvs->enable) {
+	if (!READ_ONCE(ipvs->enable)) {
 		/* Now there is a service - full throttle */
-		ipvs->enable = 1;
+		WRITE_ONCE(ipvs->enable, 1);
 
 		/* Start estimation for first time */
 		ip_vs_est_reload_start(ipvs);
diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
index 15049b826..93a925f1e 100644
--- a/net/netfilter/ipvs/ip_vs_est.c
+++ b/net/netfilter/ipvs/ip_vs_est.c
@@ -231,7 +231,7 @@ static int ip_vs_estimation_kthread(void *data)
 void ip_vs_est_reload_start(struct netns_ipvs *ipvs)
 {
 	/* Ignore reloads before first service is added */
-	if (!ipvs->enable)
+	if (!READ_ONCE(ipvs->enable))
 		return;
 	ip_vs_est_stopped_recalc(ipvs);
 	/* Bump the kthread configuration genid */
@@ -306,7 +306,7 @@ static int ip_vs_est_add_kthread(struct netns_ipvs *ipvs)
 	int i;
 
 	if ((unsigned long)ipvs->est_kt_count >= ipvs->est_max_threads &&
-	    ipvs->enable && ipvs->est_max_threads)
+	    READ_ONCE(ipvs->enable) && ipvs->est_max_threads)
 		return -EINVAL;
 
 	mutex_lock(&ipvs->est_mutex);
@@ -343,7 +343,7 @@ static int ip_vs_est_add_kthread(struct netns_ipvs *ipvs)
 	}
 
 	/* Start kthread tasks only when services are present */
-	if (ipvs->enable && !ip_vs_est_stopped(ipvs)) {
+	if (READ_ONCE(ipvs->enable) && !ip_vs_est_stopped(ipvs)) {
 		ret = ip_vs_est_kthread_start(ipvs, kd);
 		if (ret < 0)
 			goto out;
@@ -486,7 +486,7 @@ int ip_vs_start_estimator(struct netns_ipvs *ipvs, struct ip_vs_stats *stats)
 	struct ip_vs_estimator *est = &stats->est;
 	int ret;
 
-	if (!ipvs->est_max_threads && ipvs->enable)
+	if (!ipvs->est_max_threads && READ_ONCE(ipvs->enable))
 		ipvs->est_max_threads = ip_vs_est_max_threads(ipvs);
 
 	est->ktid = -1;
@@ -663,7 +663,7 @@ static int ip_vs_est_calc_limits(struct netns_ipvs *ipvs, int *chain_max)
 			/* Wait for cpufreq frequency transition */
 			wait_event_idle_timeout(wq, kthread_should_stop(),
 						HZ / 50);
-			if (!ipvs->enable || kthread_should_stop())
+			if (!READ_ONCE(ipvs->enable) || kthread_should_stop())
 				goto stop;
 		}
 
@@ -681,7 +681,7 @@ static int ip_vs_est_calc_limits(struct netns_ipvs *ipvs, int *chain_max)
 		rcu_read_unlock();
 		local_bh_enable();
 
-		if (!ipvs->enable || kthread_should_stop())
+		if (!READ_ONCE(ipvs->enable) || kthread_should_stop())
 			goto stop;
 		cond_resched();
 
@@ -757,7 +757,7 @@ static void ip_vs_est_calc_phase(struct netns_ipvs *ipvs)
 	mutex_lock(&ipvs->est_mutex);
 	for (id = 1; id < ipvs->est_kt_count; id++) {
 		/* netns clean up started, abort */
-		if (!ipvs->enable)
+		if (!READ_ONCE(ipvs->enable))
 			goto unlock2;
 		kd = ipvs->est_kt_arr[id];
 		if (!kd)
@@ -787,7 +787,7 @@ static void ip_vs_est_calc_phase(struct netns_ipvs *ipvs)
 	id = ipvs->est_kt_count;
 
 next_kt:
-	if (!ipvs->enable || kthread_should_stop())
+	if (!READ_ONCE(ipvs->enable) || kthread_should_stop())
 		goto unlock;
 	id--;
 	if (id < 0)
-- 
2.34.1

Re:

[Pablo Neira Ayuso]

On Wed, Aug 27, 2025 at 10:43:42PM +0800, Zhang Tengfei wrote:
> Hi everyone,
> 
> Here is the v2 patch that incorporates the feedback.

Patch without subject will not fly too far, I'm afraid you will have
to resubmit. One more comment below.

> Many thanks to Julian for his thorough review and for providing 
> the detailed plan for this new version, and thanks to Florian 
> and Eric for suggestions.
> 
> Subject: [PATCH v2] net/netfilter/ipvs: Use READ_ONCE/WRITE_ONCE for
>  ipvs->enable
> 
> KCSAN reported a data-race on the `ipvs->enable` flag, which is
> written in the control path and read concurrently from many other
> contexts.
> 
> Following a suggestion by Julian, this patch fixes the race by
> converting all accesses to use `WRITE_ONCE()/READ_ONCE()`.
> This lightweight approach ensures atomic access and acts as a
> compiler barrier, preventing unsafe optimizations where the flag
> is checked in loops (e.g., in ip_vs_est.c).
> 
> Additionally, the now-obsolete `enable` checks in the fast path
> hooks (`ip_vs_in_hook`, `ip_vs_out_hook`, `ip_vs_forward_icmp`)
> are removed. These are unnecessary since commit 857ca89711de
> ("ipvs: register hooks only with services").
> 
> Reported-by: syzbot+1651b5234028c294c339@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=1651b5234028c294c339
> Suggested-by: Julian Anastasov <ja@ssi.bg>
> Link: https://lore.kernel.org/lvs-devel/2189fc62-e51e-78c9-d1de-d35b8e3657e3@ssi.bg/
> Signed-off-by: Zhang Tengfei <zhtfdev@gmail.com>
> 
> ---
> v2:
> - Switched from atomic_t to the suggested READ_ONCE()/WRITE_ONCE().
> - Removed obsolete checks from the packet processing hooks.
> - Polished commit message based on feedback.
> ---
>  net/netfilter/ipvs/ip_vs_conn.c |  4 ++--
>  net/netfilter/ipvs/ip_vs_core.c | 11 ++++-------
>  net/netfilter/ipvs/ip_vs_ctl.c  |  6 +++---
>  net/netfilter/ipvs/ip_vs_est.c  | 16 ++++++++--------
>  4 files changed, 17 insertions(+), 20 deletions(-)
[...]
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index c7a8a08b7..5ea7ab8bf 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -1353,9 +1353,6 @@ ip_vs_out_hook(void *priv, struct sk_buff *skb, const struct nf_hook_state *stat
>  	if (unlikely(!skb_dst(skb)))
>  		return NF_ACCEPT;
>  
> -	if (!ipvs->enable)
> -		return NF_ACCEPT;

Patch does say why is this going away? If you think this is not
necessary, then make a separated patch and example why this is needed?

Thanks

>  	ip_vs_fill_iph_skb(af, skb, false, &iph);
>  #ifdef CONFIG_IP_VS_IPV6
>  	if (af == AF_INET6) {

Re:

[Amos Kalonzo]

Attn:

I am wondering why You haven't respond to my email for some days now.
reference to my client's contract balance payment of (11.7M,USD)
Kindly get back to me for more details.

Best Regards

Amos Kalonzo

RE:

[Qin's Yanjun]

----
How are you today and your family? I require your attention and honest
co-operation about some issues which i will really want to discuss with you
which.  Looking forward to read from you soon.  

Qin's


______________________________

Sky Silk, http://aknet.kz

RE:

[JO Bower]

Your email address has brought you an unexpected luck, which was selected in The Euro Millions Lottery and subsequently won you the sum of €1,000,000.00 Euros. Contact Monica Torres Email: monicatorresesp@gmail.com to claim your prize.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re:

[christain147]

Good day,hoping you read this email and respond to me in good time.I do not intend to solicit for funds but  your time and energy in using my own resources to assist the less privileged.I am medically confined at the moment hence I request your indulgence.
I will give you a comprehensive brief once I hear from you.

Please forward your response to my private email address:
gudworks104@yahoo.com

Thanks and reply.

Robert Grondahl

RE:

[W. Cheung]

 I have a very lucrative business transaction which requires the utmost discretion. If you are interested, kindly contact me ASAP for full details.

Warm Regards,
William Cheung

Re:

[James Brown]

https://docs.google.com/document/d/1yAkUys2osN7co_KbzphWLLsoe-TPq7ELZhoySYvzjF0/edit

Re:

[Mistick Levi]

What's up with all those mail's about business proposal's that are
sent to the mailing list?!

On Sat, Oct 9, 2010 at 7:26 PM, Mr.Young Chang <info@yahoo.com> wrote:
> My name is Mr.Young Chang,Credit officer MEVAS BANK,HK.I have a Business
> Proposal of $19.7 million usd for you to handle with me.Are you interested?
>
>
>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re:

[William Wilcox]

Good day!
My name is Sir William Wilcox,I work with the Euro Lottery. I can help you
win 4,528,000 GBP.But I charge 40% of the winning.Can we do this deal
together? Email me; william.wilcox98@gmail.com

(unknown),

[Jan Engelhardt]

Hi,


here are three commits that fix bugzilla entries and/or other
problems encountered. There are also two extra commits prepended
without any changes, which only provide missing log entries for
already-merged commits.


The following changes since commit 7fa7329fc972513021131416dbd9d535141bd2ea:
  Jan Engelhardt (1):
        iprange: roll address parsing into a loop

are available in the git repository at:

  git://dev.medozas.de/iptables master

Jan Engelhardt (4):
      iprange: do accept non-ranges for xt_iprange v1 (log)
      iprange: warn on reverse range (log)
      libiptc: fix wrong maptype of base chain counters on restore
      iptables: fix undersized deletion mask creation

Olaf Rempel (1):
      build: restore --disable-ipv6 functionality on system w/o v6 headers

 ip6tables.c       |   14 ++++++++------
 iptables.c        |   14 ++++++++------
 libiptc/libiptc.c |    2 +-
 xtables.c         |    3 ++-
 4 files changed, 19 insertions(+), 14 deletions(-)

Re:

[Patrick McHardy]

Jan Engelhardt wrote:
> here are three commits that fix bugzilla entries and/or other
> problems encountered. There are also two extra commits prepended
> without any changes, which only provide missing log entries for
> already-merged commits.

Just to clarify before I apply this - how does adding changelog
entries afterwards work? Am I correct to assume that this won't
affect this history of the tree and existing clones?

Re:

[Jan Engelhardt]

On Thursday 2009-10-29 23:26, Patrick McHardy wrote:

>Jan Engelhardt wrote:
>> here are three commits that fix bugzilla entries and/or other
>> problems encountered. There are also two extra commits prepended
>> without any changes, which only provide missing log entries for
>> already-merged commits.
>
>Just to clarify before I apply this - how does adding changelog
>entries afterwards work? Am I correct to assume that this won't
>affect this history of the tree and existing clones?

I just used `git commit --allow-empty -e` to record a plain commit on 
top, just without any change in the tree object. Take a look in 
git-forest/gitk if in doubt ;-)

Re:

[Patrick McHardy]

Jan Engelhardt wrote:
> On Thursday 2009-10-29 23:26, Patrick McHardy wrote:
> 
>> Jan Engelhardt wrote:
>>> here are three commits that fix bugzilla entries and/or other
>>> problems encountered. There are also two extra commits prepended
>>> without any changes, which only provide missing log entries for
>>> already-merged commits.
>> Just to clarify before I apply this - how does adding changelog
>> entries afterwards work? Am I correct to assume that this won't
>> affect this history of the tree and existing clones?
> 
> I just used `git commit --allow-empty -e` to record a plain commit on 
> top, just without any change in the tree object. Take a look in 
> git-forest/gitk if in doubt ;-)

Nice. Pulled and pushed out again, thanks.

(unknown),

[Jan Engelhardt]

Please pull from
	git://dev.medozas.de/iptables master

to receive

Jan Engelhardt (2+1):
      xt_conntrack: revision 2 for enlarged state_mask member
      libxt_helper: fix invalid passed option to check_inverse
      Merge branch 'stable'

Diffstat:
Updating 80fcb7b..8e4daca
Fast forward
 extensions/libxt_conntrack.c           |  159 +++++++++++++++++++++++++++----
 extensions/libxt_helper.c              |    2 +-
 include/linux/netfilter/xt_conntrack.h |   13 +++
 3 files changed, 152 insertions(+), 22 deletions(-)

Re:

[Patrick McHardy]

Jan Engelhardt wrote:
> Please pull from
> 	git://dev.medozas.de/iptables master
> 
> to receive
> 
> Jan Engelhardt (2+1):
>       xt_conntrack: revision 2 for enlarged state_mask member
>       libxt_helper: fix invalid passed option to check_inverse

Pulled and pushed back out again, thanks.

(unknown),

[Jan Engelhardt]

Hi,


here are a number of patches I am suggesting for the -master branch
(-stable is separate in my view and my management, but see other
discussion thread).
Pullable from
	git://dev.medozas.de/iptables master


Jan Engelhardt (9):
      libiptc: split v4 and v6
      extensions: collapse registration structures
      iptables: allow for parse-less extensions
      iptables: allow for help-less extensions
      extensions: remove empty help and parse functions
      xtables: add multi-registration functions
      extensions: collapse data variables to use multi-reg calls
      xtables: warn of missing version identifier in extensions
      COMMIT_NOTES: notice to check for soversion bumps

Michael Granzow (1):
      iptables: accept multiple IP address specifications for -s, -d


(Shall I post the entire mergestat, or just the "X files changed" line?)

 COMMIT_NOTES                   |    6 +-
 Makefile.am                    |   35 ++++---
 configure.ac                   |    4 +-
 extensions/libip6t_eui64.c     |   26 -----
 extensions/libipt_MIRROR.c     |   20 ----
 extensions/libipt_addrtype.c   |   58 ++++++------
 extensions/libipt_unclean.c    |   16 ---
 extensions/libxt_CONNMARK.c    |   98 +++++++-------------
 extensions/libxt_CONNSECMARK.c |   18 +----
 extensions/libxt_DSCP.c        |   17 +---
 extensions/libxt_MARK.c        |  106 +++++++++-------------
 extensions/libxt_NFLOG.c       |   17 +---
 extensions/libxt_NFQUEUE.c     |   16 +---
 extensions/libxt_NOTRACK.c     |   33 +-------
 extensions/libxt_TCPOPTSTRIP.c |   18 +----
 extensions/libxt_TOS.c         |   76 ++++++---------
 extensions/libxt_TRACE.c       |   13 ---
 extensions/libxt_comment.c     |   17 +---
 extensions/libxt_connbytes.c   |   17 +---
 extensions/libxt_connlimit.c   |   60 ++++++------
 extensions/libxt_connmark.c    |   92 ++++++-------------
 extensions/libxt_conntrack.c   |   90 +++++++++---------
 extensions/libxt_dccp.c        |   17 +---
 extensions/libxt_dscp.c        |   17 +---
 extensions/libxt_esp.c         |   17 +---
 extensions/libxt_hashlimit.c   |  113 ++++++++++-------------
 extensions/libxt_helper.c      |   16 +---
 extensions/libxt_iprange.c     |   90 +++++++++---------
 extensions/libxt_mac.c         |   17 +---
 extensions/libxt_mark.c        |   60 ++++++------
 extensions/libxt_multiport.c   |  120 ++++++++++++-------------
 extensions/libxt_owner.c       |  106 +++++++++-------------
 extensions/libxt_physdev.c     |   17 +---
 extensions/libxt_policy.c      |   56 ++++++------
 extensions/libxt_recent.c      |   19 +----
 extensions/libxt_sctp.c        |   17 +---
 extensions/libxt_socket.c      |   20 ----
 extensions/libxt_standard.c    |   12 ---
 extensions/libxt_state.c       |   17 +---
 extensions/libxt_string.c      |   64 +++++++-------
 extensions/libxt_tcp.c         |   17 +---
 extensions/libxt_tcpmss.c      |   17 +---
 extensions/libxt_tos.c         |   76 ++++++---------
 extensions/libxt_udp.c         |   17 +---
 include/xtables.h.in           |    7 ++
 ip6tables.8.in                 |    3 +
 ip6tables.c                    |   76 ++++++++--------
 iptables.8.in                  |    7 +-
 iptables.c                     |   69 ++++++++-------
 xshared.c                      |   31 ++++++
 xshared.h                      |   10 ++
 xtables.c                      |  199 ++++++++++++++++++++++++++++++++++++++++
 52 files changed, 929 insertions(+), 1248 deletions(-)
 create mode 100644 xshared.c
 create mode 100644 xshared.h

Re:

[Patrick McHardy]

Jan Engelhardt wrote:
> Hi,
> 
> 
> here are a number of patches I am suggesting for the -master branch
> (-stable is separate in my view and my management, but see other
> discussion thread).
> Pullable from
> 	git://dev.medozas.de/iptables master
> 
> 
> Jan Engelhardt (9):
>       libiptc: split v4 and v6
>       extensions: collapse registration structures
>       iptables: allow for parse-less extensions
>       iptables: allow for help-less extensions
>       extensions: remove empty help and parse functions
>       xtables: add multi-registration functions
>       extensions: collapse data variables to use multi-reg calls
>       xtables: warn of missing version identifier in extensions
>       COMMIT_NOTES: notice to check for soversion bumps
> 
> Michael Granzow (1):
>       iptables: accept multiple IP address specifications for -s, -d

Looks good, pulled and pushed out again, thanks.

> (Shall I post the entire mergestat, or just the "X files changed" line?)

This is fine, I mainly want something comparable to the git pull output.

Re:

[David Stes]

> Date: Mon, 12 Sep 2005 16:29:38 +0000
> From: Cory Visi <merlin@gentoo.org>
> Subject: patchlets patch submission
> To: netfilter-devel@lists.netfilter.org
> Message-ID: <20050912162938.GB15843@toucan.gentoo.org>
> Content-Type: text/plain; charset="us-ascii"
> 
> I did some work on fixing the conntrack pom addons for the lockhelp.h 
> patch (2.6.13 support essentially). I think I got everything setup except 
> for 2 files.
> 
> Attached is all my work in patch form against a full kernel source. I have 
> a feeling you'd prefer I sent this in some other format or in some other 
> structure of a diff. This is my first time contributing so just let me 
> know how you'd prefer this in the future.
> 
> What's left is:
> - rtsp (part of rsh)

Did you also do the RPC modules ? (RPC for UDP/TCP)

I wonder whether the author(s) of RSH/RPC modules are still reading this list.

If they are, then maybe your 2.6.13 patch (and my older 2.6.12 patches)
could be incorporated.  If they are not, then maybe it's time to see how
future changes to these modules can be coordinated.

Re:?

[Ian Latter]

Hello Eugen,

  I'm sorry but I'm not the H323 author ... and I haven't used netfilter H323
support since ipchains.  I have CCd the netfilter list in case someone 
there can help.





----- Original Message -----
>From: "Soporte Meranetwork" <mera@fibertel.com.ar>
>To: <Ian.Latter@mq.edu.au>
>Subject:  ?
>Date: Mon, 31 Mar 2003 18:56:17 -0300
>
> Good day.I have used IPTabels 1.2.5-3,and dont know that it have or not H323 modul .But 
for recive Call from outside(internet) to inside(throught NAT) - Netmeeting(ATA 186) i use 
thet rules: 
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.0/24 -j MASQUERADE 
>   (intern LAN)
> PORTFWIP="192.168.0.201" ( PC with Netmeting or ATA 186)
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1720 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 1720 -j DNAT --to 
$PORTFWIP:1720
> But i want to use NAT without  FORWARD ,PREROUTING with H323 ability for any IP in 
LAN.Where i can find IPtables with ability of H323(version) or where is the patch(modul) for 
that ability? Thank your. 
> Buy,
> Eugen

--
Ian Latter
Internet and Networking Security Officer
Macquarie University