mirror of
https://github.com/coolsnowwolf/lede.git
synced 2025-04-16 04:13:31 +00:00
iptables: bump to 1.8.4
This commit is contained in:
lean
parent
4733e0fcce
commit
15ec89986e
@ -9,13 +9,12 @@ include $(TOPDIR)/rules.mk
|
||||
include $(INCLUDE_DIR)/kernel.mk
|
||||
|
||||
PKG_NAME:=iptables
|
||||
PKG_VERSION:=1.8.2
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=1.8.4
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://git.netfilter.org/iptables
|
||||
PKG_SOURCE_VERSION:=bba6bc692b0e6137e13881a1f398c134822e9f83
|
||||
PKG_MIRROR_HASH:=23a61d2a23fc0d587029690ef2564625d78fba4b2d90117edaf5b9eaf55bb7f9
|
||||
PKG_SOURCE_URL:=https://netfilter.org/projects/iptables/files
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_HASH:=993a3a5490a544c2cbf2ef15cf7e7ed21af1845baf228318d5c36ef8827e157c
|
||||
|
||||
PKG_FIXUP:=autoreconf
|
||||
PKG_FLAGS:=nonshared
|
||||
@ -37,7 +36,7 @@ define Package/iptables/Default
|
||||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
SUBMENU:=Firewall
|
||||
URL:=http://netfilter.org/
|
||||
URL:=https://netfilter.org/
|
||||
endef
|
||||
|
||||
define Package/iptables/Module
|
||||
@ -488,21 +487,12 @@ define Package/ip6tables-mod-nat/description
|
||||
iptables extensions for IPv6-NAT targets.
|
||||
endef
|
||||
|
||||
define Package/libiptc
|
||||
$(call Package/iptables/Default)
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
DEPENDS:=+libip4tc +libip6tc +libxtables
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
TITLE:=IPv4/IPv6 firewall - shared libiptc library (nf compatibility stub)
|
||||
endef
|
||||
|
||||
define Package/libip4tc
|
||||
$(call Package/iptables/Default)
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv4 firewall - shared libiptc library
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
ABI_VERSION:=2
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
@ -511,7 +501,7 @@ $(call Package/iptables/Default)
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv6 firewall - shared libiptc library
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
ABI_VERSION:=2
|
||||
DEPENDS:=+libxtables
|
||||
endef
|
||||
|
||||
@ -520,7 +510,7 @@ define Package/libxtables
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv4/IPv6 firewall - shared xtables library
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
ABI_VERSION:=12
|
||||
DEPENDS:= \
|
||||
+IPTABLES_CONNLABEL:libnetfilter-conntrack \
|
||||
+IPTABLES_NFTABLES:libnftnl
|
||||
@ -531,7 +521,7 @@ define Package/libxtables-nft
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=IPv4/IPv6 firewall - shared xtables nft library
|
||||
ABI_VERSION:=$(PKG_VERSION)
|
||||
ABI_VERSION:=12
|
||||
DEPENDS:=libxtables
|
||||
endef
|
||||
|
||||
@ -630,26 +620,21 @@ define Package/ip6tables-nft/install
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ip6tables{,-restore}-translate $(1)/usr/sbin/
|
||||
endef
|
||||
|
||||
define Package/libiptc/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libiptc.so* $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libip4tc/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip4tc.so.* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext4.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libip6tc/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libip6tc.so.* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext6.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libxtables/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so* $(1)/usr/lib/
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libxtables.so.* $(1)/usr/lib/
|
||||
$(CP) $(PKG_BUILD_DIR)/extensions/libiptext.so $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
@ -700,7 +685,6 @@ $(eval $(call BuildPackage,ip6tables))
|
||||
$(eval $(call BuildPackage,ip6tables-nft))
|
||||
$(eval $(call BuildPlugin,ip6tables-extra,$(IPT_IPV6_EXTRA-m)))
|
||||
$(eval $(call BuildPlugin,ip6tables-mod-nat,$(IPT_NAT6-m)))
|
||||
$(eval $(call BuildPackage,libiptc))
|
||||
$(eval $(call BuildPackage,libip4tc))
|
||||
$(eval $(call BuildPackage,libip6tc))
|
||||
$(eval $(call BuildPackage,libxtables))
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
From 907e429d7548157016cd51aba4adc5d0c7d9f816 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= <adamg@pld-linux.org>
|
||||
Date: Wed, 14 Nov 2018 07:35:28 +0100
|
||||
Subject: extensions: format-security fixes in libip[6]t_icmp
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
introduced support for gcc feature to check format string against passed
|
||||
argument. This commit adds missing bits to extenstions's libipt_icmp.c
|
||||
and libip6t_icmp6.c that were causing build to fail.
|
||||
|
||||
Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add")
|
||||
Signed-off-by: Adam Gołębiowski <adamg@pld-linux.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/libip6t_icmp6.c | 4 ++--
|
||||
extensions/libipt_icmp.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/extensions/libip6t_icmp6.c
|
||||
+++ b/extensions/libip6t_icmp6.c
|
||||
@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(str
|
||||
type_name = icmp6_type_xlate(icmptype);
|
||||
|
||||
if (type_name) {
|
||||
- xt_xlate_add(xl, type_name);
|
||||
+ xt_xlate_add(xl, "%s", type_name);
|
||||
} else {
|
||||
for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i)
|
||||
if (icmpv6_codes[i].type == icmptype &&
|
||||
@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(str
|
||||
break;
|
||||
|
||||
if (i != ARRAY_SIZE(icmpv6_codes))
|
||||
- xt_xlate_add(xl, icmpv6_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmpv6_codes[i].name);
|
||||
else
|
||||
return 0;
|
||||
}
|
||||
--- a/extensions/libipt_icmp.c
|
||||
+++ b/extensions/libipt_icmp.c
|
||||
@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(str
|
||||
if (icmp_codes[i].type == icmptype &&
|
||||
icmp_codes[i].code_min == code_min &&
|
||||
icmp_codes[i].code_max == code_max) {
|
||||
- xt_xlate_add(xl, icmp_codes[i].name);
|
||||
+ xt_xlate_add(xl, "%s", icmp_codes[i].name);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
@ -1,48 +0,0 @@
|
||||
From 8d9d7e4b9ef4c6e6abab2cf35c747d7ca36824bd Mon Sep 17 00:00:00 2001
|
||||
From: Baruch Siach <baruch@tkos.co.il>
|
||||
Date: Fri, 16 Nov 2018 09:30:33 +0200
|
||||
Subject: include: fix build with kernel headers before 4.2
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Commit 672accf1530 (include: update kernel netfilter header files)
|
||||
updated linux/netfilter.h and brought with it the update from kernel
|
||||
commit a263653ed798 (netfilter: don't pull include/linux/netfilter.h
|
||||
from netns headers). This triggers conflict of headers that is fixed in
|
||||
kernel commit 279c6c7fa64f (api: fix compatibility of linux/in.h with
|
||||
netinet/in.h) included in kernel version 4.2. For earlier kernel headers
|
||||
we need a workaround that prevents the headers conflict.
|
||||
|
||||
Fixes the following build failure:
|
||||
|
||||
In file included from .../sysroot/usr/include/netinet/ip.h:25:0,
|
||||
from ../include/libiptc/ipt_kernel_headers.h:8,
|
||||
from ../include/libiptc/libiptc.h:6,
|
||||
from libip4tc.c:29:
|
||||
.../sysroot/usr/include/linux/in.h:26:3: error: redeclaration of enumerator ‘IPPROTO_IP’
|
||||
IPPROTO_IP = 0, /* Dummy protocol for TCP */
|
||||
^
|
||||
.../sysroot/usr/include/netinet/in.h:33:5: note: previous definition of ‘IPPROTO_IP’ was here
|
||||
IPPROTO_IP = 0, /* Dummy protocol for TCP. */
|
||||
^~~~~~~~~~
|
||||
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
---
|
||||
include/linux/netfilter.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/include/linux/netfilter.h
|
||||
+++ b/include/linux/netfilter.h
|
||||
@@ -3,8 +3,10 @@
|
||||
|
||||
#include <linux/types.h>
|
||||
|
||||
+#ifndef _NETINET_IN_H
|
||||
#include <linux/in.h>
|
||||
#include <linux/in6.h>
|
||||
+#endif
|
||||
#include <limits.h>
|
||||
|
||||
/* Responses from hook functions. */
|
||||
@ -1,41 +0,0 @@
|
||||
From 51d374ba41ae4f1bb851228c06b030b83dd2092f Mon Sep 17 00:00:00 2001
|
||||
From: Baruch Siach <baruch@tkos.co.il>
|
||||
Date: Tue, 13 Nov 2018 19:22:08 +0200
|
||||
Subject: ebtables: vlan: fix userspace/kernel headers collision
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Build with musl libc fails because of conflicting struct ethhdr
|
||||
definitions:
|
||||
|
||||
In file included from .../sysroot/usr/include/net/ethernet.h:10:0,
|
||||
from ../iptables/nft-bridge.h:8,
|
||||
from libebt_vlan.c:18:
|
||||
.../sysroot/usr/include/netinet/if_ether.h:107:8: error: redefinition of ‘struct ethhdr’
|
||||
struct ethhdr {
|
||||
^~~~~~
|
||||
In file included from libebt_vlan.c:16:0:
|
||||
.../sysroot/usr/include/linux/if_ether.h:160:8: note: originally defined here
|
||||
struct ethhdr {
|
||||
^~~~~~
|
||||
|
||||
Include the userspace header first for the definition suppression logic
|
||||
to do the right thing.
|
||||
|
||||
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
extensions/libebt_vlan.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/extensions/libebt_vlan.c
|
||||
+++ b/extensions/libebt_vlan.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <getopt.h>
|
||||
#include <ctype.h>
|
||||
#include <xtables.h>
|
||||
+#include <netinet/if_ether.h>
|
||||
#include <linux/netfilter_bridge/ebt_vlan.h>
|
||||
#include <linux/if_ether.h>
|
||||
#include "iptables/nft.h"
|
||||
@ -0,0 +1,459 @@
|
||||
From 74267bacce0c43e5038b0377cb7c08f1ad9d50a3 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
||||
Date: Sat, 23 Mar 2019 10:21:03 +0000
|
||||
Subject: [PATCH] iptables: connmark - add set-dscpmark option for openwrt
|
||||
|
||||
Naive user space front end to xt_connmark 'setdscp' option.
|
||||
|
||||
iptables -A QOS_MARK_eth0 -t mangle -j CONNMARK --set-dscpmark 0xfc000000/0x01000000
|
||||
|
||||
This version has a hack to support a backport to 4.14
|
||||
|
||||
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
|
||||
---
|
||||
extensions/libxt_CONNMARK.c | 315 +++++++++++++++++++++++++-
|
||||
include/linux/netfilter/xt_connmark.h | 10 +
|
||||
2 files changed, 324 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/extensions/libxt_CONNMARK.c b/extensions/libxt_CONNMARK.c
|
||||
index 21e10913..c777b110 100644
|
||||
--- a/extensions/libxt_CONNMARK.c
|
||||
+++ b/extensions/libxt_CONNMARK.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
#include <stdio.h>
|
||||
+#include <strings.h>
|
||||
#include <xtables.h>
|
||||
#include <linux/netfilter/xt_CONNMARK.h>
|
||||
|
||||
@@ -49,6 +50,7 @@ enum {
|
||||
O_CTMASK,
|
||||
O_NFMASK,
|
||||
O_MASK,
|
||||
+ O_DSCP_MARK,
|
||||
F_SET_MARK = 1 << O_SET_MARK,
|
||||
F_SAVE_MARK = 1 << O_SAVE_MARK,
|
||||
F_RESTORE_MARK = 1 << O_RESTORE_MARK,
|
||||
@@ -61,8 +63,10 @@ enum {
|
||||
F_CTMASK = 1 << O_CTMASK,
|
||||
F_NFMASK = 1 << O_NFMASK,
|
||||
F_MASK = 1 << O_MASK,
|
||||
+ F_DSCP_MARK = 1 << O_DSCP_MARK,
|
||||
F_OP_ANY = F_SET_MARK | F_SAVE_MARK | F_RESTORE_MARK |
|
||||
- F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK,
|
||||
+ F_AND_MARK | F_OR_MARK | F_XOR_MARK | F_SET_XMARK |
|
||||
+ F_DSCP_MARK,
|
||||
};
|
||||
|
||||
static const char *const xt_connmark_shift_ops[] = {
|
||||
@@ -114,6 +118,8 @@ static const struct xt_option_entry connmark_tg_opts[] = {
|
||||
.excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
|
||||
{.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
|
||||
.excl = F_CTMASK | F_NFMASK},
|
||||
+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
|
||||
+ .excl = F_OP_ANY},
|
||||
XTOPT_TABLEEND,
|
||||
};
|
||||
#undef s
|
||||
@@ -148,6 +154,38 @@ static const struct xt_option_entry connmark_tg_opts_v2[] = {
|
||||
};
|
||||
#undef s
|
||||
|
||||
+#define s struct xt_connmark_tginfo3
|
||||
+static const struct xt_option_entry connmark_tg_opts_v3[] = {
|
||||
+ {.name = "set-xmark", .id = O_SET_XMARK, .type = XTTYPE_MARKMASK32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "set-mark", .id = O_SET_MARK, .type = XTTYPE_MARKMASK32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "and-mark", .id = O_AND_MARK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "or-mark", .id = O_OR_MARK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "xor-mark", .id = O_XOR_MARK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "save-mark", .id = O_SAVE_MARK, .type = XTTYPE_NONE,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "restore-mark", .id = O_RESTORE_MARK, .type = XTTYPE_NONE,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ {.name = "left-shift-mark", .id = O_LEFT_SHIFT_MARK, .type = XTTYPE_UINT8,
|
||||
+ .min = 0, .max = 32},
|
||||
+ {.name = "right-shift-mark", .id = O_RIGHT_SHIFT_MARK, .type = XTTYPE_UINT8,
|
||||
+ .min = 0, .max = 32},
|
||||
+ {.name = "ctmask", .id = O_CTMASK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, ctmask)},
|
||||
+ {.name = "nfmask", .id = O_NFMASK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_MASK, .flags = XTOPT_PUT, XTOPT_POINTER(s, nfmask)},
|
||||
+ {.name = "mask", .id = O_MASK, .type = XTTYPE_UINT32,
|
||||
+ .excl = F_CTMASK | F_NFMASK},
|
||||
+ {.name = "set-dscpmark", .id = O_DSCP_MARK, .type = XTTYPE_MARKMASK32,
|
||||
+ .excl = F_OP_ANY},
|
||||
+ XTOPT_TABLEEND,
|
||||
+};
|
||||
+#undef s
|
||||
+
|
||||
static void connmark_tg_help(void)
|
||||
{
|
||||
printf(
|
||||
@@ -175,6 +213,15 @@ static void connmark_tg_help_v2(void)
|
||||
);
|
||||
}
|
||||
|
||||
+static void connmark_tg_help_v3(void)
|
||||
+{
|
||||
+ connmark_tg_help_v2();
|
||||
+ printf(
|
||||
+" --set-dscpmark value/mask Save DSCP to conntrack mark value\n"
|
||||
+);
|
||||
+}
|
||||
+
|
||||
+
|
||||
static void connmark_tg_init(struct xt_entry_target *target)
|
||||
{
|
||||
struct xt_connmark_tginfo1 *info = (void *)target->data;
|
||||
@@ -199,6 +246,16 @@ static void connmark_tg_init_v2(struct xt_entry_target *target)
|
||||
info->shift_bits = 0;
|
||||
}
|
||||
|
||||
+static void connmark_tg_init_v3(struct xt_entry_target *target)
|
||||
+{
|
||||
+ struct xt_connmark_tginfo3 *info;
|
||||
+
|
||||
+ connmark_tg_init_v2(target);
|
||||
+ info = (void *)target->data;
|
||||
+
|
||||
+ info->func = 0;
|
||||
+}
|
||||
+
|
||||
static void CONNMARK_parse(struct xt_option_call *cb)
|
||||
{
|
||||
struct xt_connmark_target_info *markinfo = cb->data;
|
||||
@@ -253,6 +310,23 @@ static void connmark_tg_parse(struct xt_option_call *cb)
|
||||
info->ctmark = cb->val.u32;
|
||||
info->ctmask = 0;
|
||||
break;
|
||||
+ case O_DSCP_MARK:
|
||||
+/* we sneaky sneaky this. nfmask isn't used by the set mark functionality
|
||||
+ * and by default is set to uint32max. We can use the top bit as a flag
|
||||
+ * that we're in DSCP_MARK submode of SET_MARK, if set then it's normal
|
||||
+ * if unset then we're in DSCP_MARK
|
||||
+ */
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->ctmark = cb->val.mark;
|
||||
+ info->ctmask = cb->val.mask;
|
||||
+ info->nfmask = info->ctmark ? ffs(info->ctmark) - 1 : 0;
|
||||
+ /* need 6 contiguous bits */
|
||||
+ if ((~0 & (info->ctmark >> info->nfmask)) != 0x3f)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
|
||||
+ if (info->ctmark & info->ctmask)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
|
||||
case O_SAVE_MARK:
|
||||
info->mode = XT_CONNMARK_SAVE;
|
||||
break;
|
||||
@@ -320,6 +394,78 @@ static void connmark_tg_parse_v2(struct xt_option_call *cb)
|
||||
}
|
||||
}
|
||||
|
||||
+static void connmark_tg_parse_v3(struct xt_option_call *cb)
|
||||
+{
|
||||
+ struct xt_connmark_tginfo3 *info = cb->data;
|
||||
+
|
||||
+ xtables_option_parse(cb);
|
||||
+ switch (cb->entry->id) {
|
||||
+ case O_SET_XMARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_VALUE;
|
||||
+ info->ctmark = cb->val.mark;
|
||||
+ info->ctmask = cb->val.mask;
|
||||
+ break;
|
||||
+ case O_SET_MARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_VALUE;
|
||||
+ info->ctmark = cb->val.mark;
|
||||
+ info->ctmask = cb->val.mark | cb->val.mask;
|
||||
+ break;
|
||||
+ case O_AND_MARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_VALUE;
|
||||
+ info->ctmark = 0;
|
||||
+ info->ctmask = ~cb->val.u32;
|
||||
+ break;
|
||||
+ case O_OR_MARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_VALUE;
|
||||
+ info->ctmark = cb->val.u32;
|
||||
+ info->ctmask = cb->val.u32;
|
||||
+ break;
|
||||
+ case O_XOR_MARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_VALUE;
|
||||
+ info->ctmark = cb->val.u32;
|
||||
+ info->ctmask = 0;
|
||||
+ break;
|
||||
+ case O_DSCP_MARK:
|
||||
+ info->mode = XT_CONNMARK_SET;
|
||||
+ info->func = XT_CONNMARK_DSCP;
|
||||
+ info->ctmark = cb->val.mark;
|
||||
+ info->ctmask = cb->val.mask;
|
||||
+ info->shift_bits = info->ctmark ? ffs(info->ctmark) - 1 : 0;
|
||||
+ /* need 6 contiguous bits */
|
||||
+ if ((~0 & (info->ctmark >> info->shift_bits)) != 0x3f)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "CONNMARK set-dscpmark: need 6 contiguous dscpmask bits");
|
||||
+ if (info->ctmark & info->ctmask)
|
||||
+ xtables_error(PARAMETER_PROBLEM,
|
||||
+ "CONNMARK set-dscpmark: dscpmask/statemask bits overlap");
|
||||
+ break;
|
||||
+ case O_SAVE_MARK:
|
||||
+ info->mode = XT_CONNMARK_SAVE;
|
||||
+ break;
|
||||
+ case O_RESTORE_MARK:
|
||||
+ info->mode = XT_CONNMARK_RESTORE;
|
||||
+ break;
|
||||
+ case O_MASK:
|
||||
+ info->nfmask = info->ctmask = cb->val.u32;
|
||||
+ break;
|
||||
+ case O_LEFT_SHIFT_MARK:
|
||||
+ info->shift_dir = D_SHIFT_LEFT;
|
||||
+ info->shift_bits = cb->val.u8;
|
||||
+ break;
|
||||
+ case O_RIGHT_SHIFT_MARK:
|
||||
+ info->shift_dir = D_SHIFT_RIGHT;
|
||||
+ info->shift_bits = cb->val.u8;
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void connmark_tg_check(struct xt_fcheck_call *cb)
|
||||
{
|
||||
if (!(cb->xflags & F_OP_ANY))
|
||||
@@ -463,6 +609,65 @@ connmark_tg_print_v2(const void *ip, const struct xt_entry_target *target,
|
||||
}
|
||||
}
|
||||
|
||||
+static void
|
||||
+connmark_tg_print_v3(const void *ip, const struct xt_entry_target *target,
|
||||
+ int numeric)
|
||||
+{
|
||||
+ const struct xt_connmark_tginfo3 *info = (const void *)target->data;
|
||||
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
|
||||
+
|
||||
+ switch (info->mode) {
|
||||
+ case XT_CONNMARK_SET:
|
||||
+ if (info->func & XT_CONNMARK_DSCP) {
|
||||
+ printf(" CONNMARK DSCP 0x%x/0x%x",
|
||||
+ info->ctmark, info->ctmask);
|
||||
+ }
|
||||
+ if (info->func & XT_CONNMARK_VALUE) {
|
||||
+ if (info->ctmark == 0)
|
||||
+ printf(" CONNMARK and 0x%x",
|
||||
+ (unsigned int)(uint32_t)~info->ctmask);
|
||||
+ else if (info->ctmark == info->ctmask)
|
||||
+ printf(" CONNMARK or 0x%x", info->ctmark);
|
||||
+ else if (info->ctmask == 0)
|
||||
+ printf(" CONNMARK xor 0x%x", info->ctmark);
|
||||
+ else if (info->ctmask == 0xFFFFFFFFU)
|
||||
+ printf(" CONNMARK set 0x%x", info->ctmark);
|
||||
+ else
|
||||
+ printf(" CONNMARK xset 0x%x/0x%x",
|
||||
+ info->ctmark, info->ctmask);
|
||||
+ }
|
||||
+ break;
|
||||
+ case XT_CONNMARK_SAVE:
|
||||
+ if (info->nfmask == UINT32_MAX && info->ctmask == UINT32_MAX)
|
||||
+ printf(" CONNMARK save");
|
||||
+ else if (info->nfmask == info->ctmask)
|
||||
+ printf(" CONNMARK save mask 0x%x", info->nfmask);
|
||||
+ else
|
||||
+ printf(" CONNMARK save nfmask 0x%x ctmask ~0x%x",
|
||||
+ info->nfmask, info->ctmask);
|
||||
+ break;
|
||||
+ case XT_CONNMARK_RESTORE:
|
||||
+ if (info->ctmask == UINT32_MAX && info->nfmask == UINT32_MAX)
|
||||
+ printf(" CONNMARK restore");
|
||||
+ else if (info->ctmask == info->nfmask)
|
||||
+ printf(" CONNMARK restore mask 0x%x", info->ctmask);
|
||||
+ else
|
||||
+ printf(" CONNMARK restore ctmask 0x%x nfmask ~0x%x",
|
||||
+ info->ctmask, info->nfmask);
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ printf(" ERROR: UNKNOWN CONNMARK MODE");
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (info->mode <= XT_CONNMARK_RESTORE &&
|
||||
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
|
||||
+ info->shift_bits != 0) {
|
||||
+ printf(" %s %u", shift_op, info->shift_bits);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void CONNMARK_save(const void *ip, const struct xt_entry_target *target)
|
||||
{
|
||||
const struct xt_connmark_target_info *markinfo =
|
||||
@@ -548,6 +753,38 @@ connmark_tg_save_v2(const void *ip, const struct xt_entry_target *target)
|
||||
}
|
||||
}
|
||||
|
||||
+static void
|
||||
+connmark_tg_save_v3(const void *ip, const struct xt_entry_target *target)
|
||||
+{
|
||||
+ const struct xt_connmark_tginfo3 *info = (const void *)target->data;
|
||||
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
|
||||
+
|
||||
+ switch (info->mode) {
|
||||
+ case XT_CONNMARK_SET:
|
||||
+ if (info->func & XT_CONNMARK_VALUE)
|
||||
+ printf(" --set-xmark 0x%x/0x%x", info->ctmark, info->ctmask);
|
||||
+ if (info->func & XT_CONNMARK_DSCP)
|
||||
+ printf(" --set-dscpmark 0x%x/0x%x", info->ctmark, info->ctmask);
|
||||
+ break;
|
||||
+ case XT_CONNMARK_SAVE:
|
||||
+ printf(" --save-mark --nfmask 0x%x --ctmask 0x%x",
|
||||
+ info->nfmask, info->ctmask);
|
||||
+ break;
|
||||
+ case XT_CONNMARK_RESTORE:
|
||||
+ printf(" --restore-mark --nfmask 0x%x --ctmask 0x%x",
|
||||
+ info->nfmask, info->ctmask);
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf(" ERROR: UNKNOWN CONNMARK MODE");
|
||||
+ break;
|
||||
+ }
|
||||
+ if (info->mode <= XT_CONNMARK_RESTORE &&
|
||||
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
|
||||
+ info->shift_bits != 0) {
|
||||
+ printf(" --%s %u", shift_op, info->shift_bits);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int connmark_tg_xlate(struct xt_xlate *xl,
|
||||
const struct xt_xlate_tg_params *params)
|
||||
{
|
||||
@@ -639,6 +876,66 @@ static int connmark_tg_xlate_v2(struct xt_xlate *xl,
|
||||
|
||||
return 1;
|
||||
}
|
||||
+
|
||||
+static int connmark_tg_xlate_v3(struct xt_xlate *xl,
|
||||
+ const struct xt_xlate_tg_params *params)
|
||||
+{
|
||||
+ const struct xt_connmark_tginfo3 *info =
|
||||
+ (const void *)params->target->data;
|
||||
+ const char *shift_op = xt_connmark_shift_ops[info->shift_dir];
|
||||
+
|
||||
+ switch (info->mode) {
|
||||
+ case XT_CONNMARK_SET:
|
||||
+ xt_xlate_add(xl, "ct mark set ");
|
||||
+ if (info->func & XT_CONNMARK_VALUE) {
|
||||
+ if (info->ctmask == 0xFFFFFFFFU)
|
||||
+ xt_xlate_add(xl, "0x%x ", info->ctmark);
|
||||
+ else if (info->ctmark == 0)
|
||||
+ xt_xlate_add(xl, "ct mark and 0x%x", ~info->ctmask);
|
||||
+ else if (info->ctmark == info->ctmask)
|
||||
+ xt_xlate_add(xl, "ct mark or 0x%x",
|
||||
+ info->ctmark);
|
||||
+ else if (info->ctmask == 0)
|
||||
+ xt_xlate_add(xl, "ct mark xor 0x%x",
|
||||
+ info->ctmark);
|
||||
+ else
|
||||
+ xt_xlate_add(xl, "ct mark xor 0x%x and 0x%x",
|
||||
+ info->ctmark, ~info->ctmask);
|
||||
+ }
|
||||
+ if (info->func & XT_CONNMARK_DSCP) {
|
||||
+/* FIXME the nftables syntax would go here if only we knew what it was */
|
||||
+ xt_xlate_add(xl, "ct mark set typeof(ct mark) ip dscp "
|
||||
+ "<< %u or 0x%x", info->shift_bits,
|
||||
+ info->ctmask);
|
||||
+ }
|
||||
+ break;
|
||||
+ case XT_CONNMARK_SAVE:
|
||||
+ xt_xlate_add(xl, "ct mark set mark");
|
||||
+ if (!(info->nfmask == UINT32_MAX &&
|
||||
+ info->ctmask == UINT32_MAX)) {
|
||||
+ if (info->nfmask == info->ctmask)
|
||||
+ xt_xlate_add(xl, " and 0x%x", info->nfmask);
|
||||
+ }
|
||||
+ break;
|
||||
+ case XT_CONNMARK_RESTORE:
|
||||
+ xt_xlate_add(xl, "meta mark set ct mark");
|
||||
+ if (!(info->nfmask == UINT32_MAX &&
|
||||
+ info->ctmask == UINT32_MAX)) {
|
||||
+ if (info->nfmask == info->ctmask)
|
||||
+ xt_xlate_add(xl, " and 0x%x", info->nfmask);
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (info->mode <= XT_CONNMARK_RESTORE &&
|
||||
+ !(info->mode == XT_CONNMARK_SET && info->func == XT_CONNMARK_DSCP) &&
|
||||
+ info->shift_bits != 0) {
|
||||
+ xt_xlate_add(xl, " %s %u", shift_op, info->shift_bits);
|
||||
+ }
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static struct xtables_target connmark_tg_reg[] = {
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
@@ -687,6 +984,22 @@ static struct xtables_target connmark_tg_reg[] = {
|
||||
.x6_options = connmark_tg_opts_v2,
|
||||
.xlate = connmark_tg_xlate_v2,
|
||||
},
|
||||
+ {
|
||||
+ .version = XTABLES_VERSION,
|
||||
+ .name = "CONNMARK",
|
||||
+ .revision = 3,
|
||||
+ .family = NFPROTO_UNSPEC,
|
||||
+ .size = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
|
||||
+ .userspacesize = XT_ALIGN(sizeof(struct xt_connmark_tginfo3)),
|
||||
+ .help = connmark_tg_help_v3,
|
||||
+ .init = connmark_tg_init_v3,
|
||||
+ .print = connmark_tg_print_v3,
|
||||
+ .save = connmark_tg_save_v3,
|
||||
+ .x6_parse = connmark_tg_parse_v3,
|
||||
+ .x6_fcheck = connmark_tg_check,
|
||||
+ .x6_options = connmark_tg_opts_v3,
|
||||
+ .xlate = connmark_tg_xlate_v3,
|
||||
+ },
|
||||
};
|
||||
|
||||
void _init(void)
|
||||
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
|
||||
index bbf2acc9..1d8e721c 100644
|
||||
--- a/include/linux/netfilter/xt_connmark.h
|
||||
+++ b/include/linux/netfilter/xt_connmark.h
|
||||
@@ -18,6 +18,11 @@ enum {
|
||||
XT_CONNMARK_RESTORE
|
||||
};
|
||||
|
||||
+enum {
|
||||
+ XT_CONNMARK_VALUE = (1 << 0),
|
||||
+ XT_CONNMARK_DSCP = (1 << 1)
|
||||
+};
|
||||
+
|
||||
struct xt_connmark_tginfo1 {
|
||||
__u32 ctmark, ctmask, nfmask;
|
||||
__u8 mode;
|
||||
@@ -28,6 +33,11 @@ struct xt_connmark_tginfo2 {
|
||||
__u8 shift_dir, shift_bits, mode;
|
||||
};
|
||||
|
||||
+struct xt_connmark_tginfo3 {
|
||||
+ __u32 ctmark, ctmask, nfmask;
|
||||
+ __u8 shift_dir, shift_bits, mode, func;
|
||||
+};
|
||||
+
|
||||
struct xt_connmark_mtinfo1 {
|
||||
__u32 mark, mask;
|
||||
__u8 invert;
|
||||
--
|
||||
2.21.0 (Apple Git-122.2)
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- a/libxtables/xtables.c
|
||||
+++ b/libxtables/xtables.c
|
||||
@@ -887,12 +887,6 @@ static void xtables_check_options(const
|
||||
@@ -903,12 +903,6 @@ static void xtables_check_options(const
|
||||
|
||||
void xtables_register_match(struct xtables_match *me)
|
||||
{
|
||||
@ -13,7 +13,7 @@
|
||||
if (me->version == NULL) {
|
||||
fprintf(stderr, "%s: match %s<%u> is missing a version\n",
|
||||
xt_params->program_name, me->name, me->revision);
|
||||
@@ -1080,12 +1074,6 @@ void xtables_register_matches(struct xta
|
||||
@@ -1096,12 +1090,6 @@ void xtables_register_matches(struct xta
|
||||
|
||||
void xtables_register_target(struct xtables_target *me)
|
||||
{
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- a/iptables/xtables-legacy-multi.c
|
||||
+++ b/iptables/xtables-legacy-multi.c
|
||||
@@ -31,8 +31,10 @@ static const struct subcommand multi_sub
|
||||
@@ -32,8 +32,10 @@ static const struct subcommand multi_sub
|
||||
|
||||
|
||||
#endif
|
||||
|
||||
@ -34,10 +34,10 @@
|
||||
+pfa_objs := $(patsubst %,libarpt_%.o,${pfa_build_static})
|
||||
+pf4_objs := $(patsubst %,libipt_%.o,${pf4_build_static})
|
||||
+pf6_objs := $(patsubst %,libip6t_%.o,${pf6_build_static})
|
||||
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod} ${pfx_symlinks})
|
||||
pfx_solibs := $(patsubst %,libxt_%.so,${pfx_build_mod})
|
||||
pfb_solibs := $(patsubst %,libebt_%.so,${pfb_build_mod})
|
||||
pfa_solibs := $(patsubst %,libarpt_%.so,${pfa_build_mod})
|
||||
@@ -67,13 +87,13 @@ pf6_solibs := $(patsubst %,libip6t_%.
|
||||
@@ -68,14 +88,14 @@ pfx_symlink_files := $(patsubst %,libxt_
|
||||
#
|
||||
targets := libext.a libext4.a libext6.a libext_ebt.a libext_arpt.a matches.man targets.man
|
||||
targets_install :=
|
||||
@ -46,19 +46,21 @@
|
||||
-@ENABLE_STATIC_TRUE@ libext_arpt_objs := ${pfa_objs}
|
||||
-@ENABLE_STATIC_TRUE@ libext4_objs := ${pf4_objs}
|
||||
-@ENABLE_STATIC_TRUE@ libext6_objs := ${pf6_objs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
-@ENABLE_STATIC_FALSE@ targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
|
||||
-@ENABLE_STATIC_FALSE@ targets_install += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
-@ENABLE_STATIC_FALSE@ symlinks_install := ${pfx_symlink_files}
|
||||
+libext_objs := ${pfx_objs}
|
||||
+libext_ebt_objs := ${pfb_objs}
|
||||
+libext_arpt_objs := ${pfa_objs}
|
||||
+libext4_objs := ${pf4_objs}
|
||||
+libext6_objs := ${pf6_objs}
|
||||
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs}
|
||||
+targets += ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs} ${pfx_symlink_files}
|
||||
+targets_install := $(strip ${pfx_solibs} ${pfb_solibs} ${pf4_solibs} ${pf6_solibs} ${pfa_solibs})
|
||||
+symlinks_install := ${pfx_symlink_files}
|
||||
|
||||
.SECONDARY:
|
||||
|
||||
@@ -141,11 +161,11 @@ libext4.a: initext4.o ${libext4_objs}
|
||||
@@ -148,11 +168,11 @@ libext4.a: initext4.o ${libext4_objs}
|
||||
libext6.a: initext6.o ${libext6_objs}
|
||||
${AM_VERBOSE_AR} ${AR} crs $@ $^;
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- a/extensions/GNUmakefile.in
|
||||
+++ b/extensions/GNUmakefile.in
|
||||
@@ -85,7 +85,7 @@ pf6_solibs := $(patsubst %,libip6t_%.
|
||||
@@ -86,7 +86,7 @@ pfx_symlink_files := $(patsubst %,libxt_
|
||||
#
|
||||
# Building blocks
|
||||
#
|
||||
@ -9,7 +9,7 @@
|
||||
targets_install :=
|
||||
libext_objs := ${pfx_objs}
|
||||
libext_ebt_objs := ${pfb_objs}
|
||||
@@ -112,7 +112,7 @@ clean:
|
||||
@@ -119,7 +119,7 @@ clean:
|
||||
distclean: clean
|
||||
|
||||
init%.o: init%.c
|
||||
@ -18,7 +18,7 @@
|
||||
|
||||
-include .*.d
|
||||
|
||||
@@ -144,22 +144,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
|
||||
@@ -151,22 +151,22 @@ xt_connlabel_LIBADD = @libnetfilter_conn
|
||||
# handling code in the Makefiles.
|
||||
#
|
||||
lib%.o: ${srcdir}/lib%.c
|
||||
@ -54,7 +54,7 @@
|
||||
initextb_func := $(addprefix ebt_,${pfb_build_static})
|
||||
--- a/iptables/Makefile.am
|
||||
+++ b/iptables/Makefile.am
|
||||
@@ -8,7 +8,8 @@ BUILT_SOURCES =
|
||||
@@ -7,19 +7,22 @@ BUILT_SOURCES =
|
||||
|
||||
xtables_legacy_multi_SOURCES = xtables-legacy-multi.c iptables-xml.c
|
||||
xtables_legacy_multi_CFLAGS = ${AM_CFLAGS}
|
||||
@ -64,26 +64,24 @@
|
||||
if ENABLE_STATIC
|
||||
xtables_legacy_multi_CFLAGS += -DALL_INCLUSIVE
|
||||
endif
|
||||
@@ -16,13 +17,15 @@ if ENABLE_IPV4
|
||||
xtables_legacy_multi_SOURCES += iptables-save.c iptables-restore.c \
|
||||
iptables-standalone.c iptables.c
|
||||
if ENABLE_IPV4
|
||||
xtables_legacy_multi_SOURCES += iptables-standalone.c iptables.c
|
||||
xtables_legacy_multi_CFLAGS += -DENABLE_IPV4
|
||||
-xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la ../extensions/libext4.a
|
||||
+xtables_legacy_multi_LDADD += ../libiptc/libip4tc.la
|
||||
+xtables_legacy_multi_LDFLAGS += -liptext4
|
||||
endif
|
||||
if ENABLE_IPV6
|
||||
xtables_legacy_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
|
||||
ip6tables-standalone.c ip6tables.c
|
||||
xtables_legacy_multi_SOURCES += ip6tables-standalone.c ip6tables.c
|
||||
xtables_legacy_multi_CFLAGS += -DENABLE_IPV6
|
||||
-xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la ../extensions/libext6.a
|
||||
+xtables_legacy_multi_LDADD += ../libiptc/libip6tc.la
|
||||
+xtables_legacy_multi_LDFLAGS += -liptext6
|
||||
endif
|
||||
xtables_legacy_multi_SOURCES += xshared.c
|
||||
xtables_legacy_multi_SOURCES += xshared.c iptables-restore.c iptables-save.c
|
||||
xtables_legacy_multi_LDADD += ../libxtables/libxtables.la -lm
|
||||
@@ -32,7 +35,8 @@ if ENABLE_NFTABLES
|
||||
BUILT_SOURCES += xtables-config-parser.h
|
||||
@@ -28,7 +31,8 @@ xtables_legacy_multi_LDADD += ../libxt
|
||||
if ENABLE_NFTABLES
|
||||
xtables_nft_multi_SOURCES = xtables-nft-multi.c iptables-xml.c
|
||||
xtables_nft_multi_CFLAGS = ${AM_CFLAGS}
|
||||
-xtables_nft_multi_LDADD = ../extensions/libext.a ../extensions/libext_ebt.a
|
||||
@ -92,13 +90,13 @@
|
||||
if ENABLE_STATIC
|
||||
xtables_nft_multi_CFLAGS += -DALL_INCLUSIVE
|
||||
endif
|
||||
@@ -47,7 +51,8 @@ xtables_nft_multi_SOURCES += xtables-sav
|
||||
@@ -42,7 +46,8 @@ xtables_nft_multi_SOURCES += xtables-sav
|
||||
xtables-eb-standalone.c xtables-eb.c \
|
||||
xtables-eb-translate.c \
|
||||
xtables-translate.c
|
||||
-xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS} ../extensions/libext4.a ../extensions/libext6.a ../extensions/libext_ebt.a ../extensions/libext_arpt.a
|
||||
+xtables_nft_multi_LDADD += ${libmnl_LIBS} ${libnftnl_LIBS} ${libnetfilter_conntrack_LIBS}
|
||||
+xtables_nft_multi_LDFLAGS += -liptext4 -liptext6 -liptext_arpt
|
||||
# yacc and lex generate dirty code
|
||||
xtables_nft_multi-xtables-config-parser.o xtables_nft_multi-xtables-config-syntax.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
|
||||
xtables_nft_multi_SOURCES += xshared.c
|
||||
xtables_nft_multi_LDADD += ../libxtables/libxtables.la -lm
|
||||
endif
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
--- a/extensions/libxt_conntrack.c
|
||||
+++ b/extensions/libxt_conntrack.c
|
||||
@@ -1389,6 +1389,7 @@ static int conntrack3_mt6_xlate(struct x
|
||||
@@ -1387,6 +1387,7 @@ static int conntrack3_mt6_xlate(struct x
|
||||
}
|
||||
|
||||
static struct xtables_match conntrack_mt_reg[] = {
|
||||
@ -8,7 +8,7 @@
|
||||
{
|
||||
.version = XTABLES_VERSION,
|
||||
.name = "conntrack",
|
||||
@@ -1464,6 +1465,7 @@ static struct xtables_match conntrack_mt
|
||||
@@ -1462,6 +1463,7 @@ static struct xtables_match conntrack_mt
|
||||
.alias = conntrack_print_name_alias,
|
||||
.x6_options = conntrack2_mt_opts,
|
||||
},
|
||||
@ -16,7 +16,7 @@
|
||||
{
|
||||
.version = XTABLES_VERSION,
|
||||
.name = "conntrack",
|
||||
@@ -1496,6 +1498,7 @@ static struct xtables_match conntrack_mt
|
||||
@@ -1494,6 +1496,7 @@ static struct xtables_match conntrack_mt
|
||||
.x6_options = conntrack3_mt_opts,
|
||||
.xlate = conntrack3_mt6_xlate,
|
||||
},
|
||||
@ -24,7 +24,7 @@
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "state",
|
||||
@@ -1526,6 +1529,8 @@ static struct xtables_match conntrack_mt
|
||||
@@ -1524,6 +1527,8 @@ static struct xtables_match conntrack_mt
|
||||
.x6_parse = state_ct23_parse,
|
||||
.x6_options = state_opts,
|
||||
},
|
||||
@ -33,7 +33,7 @@
|
||||
{
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.name = "state",
|
||||
@@ -1555,6 +1560,7 @@ static struct xtables_match conntrack_mt
|
||||
@@ -1553,6 +1558,7 @@ static struct xtables_match conntrack_mt
|
||||
.x6_parse = state_parse,
|
||||
.x6_options = state_opts,
|
||||
},
|
||||
|
||||
Loading…
Reference in New Issue
Block a user