Rebase to upstream release 1.3.8
This commit is contained in:
parent
d784db838b
commit
7b2367e316
@ -1,7 +1 @@
|
|||||||
iptables-1.2.11.tar.bz2
|
iptables-1.3.8.tar.bz2
|
||||||
iptables-1.3.0.tar.bz2
|
|
||||||
iptables-1.3.1.tar.bz2
|
|
||||||
iptables-1.3.2.tar.bz2
|
|
||||||
iptables-1.3.4.tar.bz2
|
|
||||||
iptables-1.3.5.tar.bz2
|
|
||||||
iptables-1.3.7.tar.bz2
|
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
--- iptables-1.2.10/iptables-restore.c.counters 2004-06-15 00:02:16.000000000 +0200
|
|
||||||
+++ iptables-1.2.10/iptables-restore.c 2004-06-17 14:01:50.953645355 +0200
|
|
||||||
@@ -73,7 +73,10 @@
|
|
||||||
|
|
||||||
int parse_counters(char *string, struct ipt_counters *ctr)
|
|
||||||
{
|
|
||||||
- return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
|
|
||||||
+ if (string != NULL)
|
|
||||||
+ return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
|
|
||||||
+ else
|
|
||||||
+ return (0 == 2);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* global new argv and argc */
|
|
@ -1,48 +0,0 @@
|
|||||||
--- iptables-1.2.11/ip6tables.c.autoload 2004-11-11 12:03:35.221306429 +0100
|
|
||||||
+++ iptables-1.2.11/ip6tables.c 2004-11-11 12:04:43.382900379 +0100
|
|
||||||
@@ -1595,15 +1595,18 @@
|
|
||||||
int procfile;
|
|
||||||
char *ret;
|
|
||||||
|
|
||||||
+#define PROCFILE_BUFSIZ 1024
|
|
||||||
+
|
|
||||||
procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
|
|
||||||
if (procfile < 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- ret = malloc(1024);
|
|
||||||
+ ret = malloc(PROCFILE_BUFSIZ);
|
|
||||||
if (ret) {
|
|
||||||
- switch (read(procfile, ret, 1024)) {
|
|
||||||
+ memset(ret, 0, PROCFILE_BUFSIZ);
|
|
||||||
+ switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
|
|
||||||
case -1: goto fail;
|
|
||||||
- case 1024: goto fail; /* Partial read. Wierd */
|
|
||||||
+ case PROCFILE_BUFSIZ: goto fail; /* Partial read. Wierd */
|
|
||||||
}
|
|
||||||
if (ret[strlen(ret)-1]=='\n')
|
|
||||||
ret[strlen(ret)-1]=0;
|
|
||||||
--- iptables-1.2.11/iptables.c.autoload 2004-11-11 12:01:35.601815606 +0100
|
|
||||||
+++ iptables-1.2.11/iptables.c 2004-11-11 12:02:50.496478760 +0100
|
|
||||||
@@ -1593,15 +1593,18 @@
|
|
||||||
int procfile;
|
|
||||||
char *ret;
|
|
||||||
|
|
||||||
+#define PROCFILE_BUFSIZ 1024
|
|
||||||
+
|
|
||||||
procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
|
|
||||||
if (procfile < 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- ret = malloc(1024);
|
|
||||||
+ ret = malloc(PROCFILE_BUFSIZ);
|
|
||||||
if (ret) {
|
|
||||||
- switch (read(procfile, ret, 1024)) {
|
|
||||||
+ memset(ret, 0, PROCFILE_BUFSIZ);
|
|
||||||
+ switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
|
|
||||||
case -1: goto fail;
|
|
||||||
- case 1024: goto fail; /* Partial read. Wierd */
|
|
||||||
+ case PROCFILE_BUFSIZ: goto fail; /* Partial read. Wierd */
|
|
||||||
}
|
|
||||||
if (ret[strlen(ret)-1]=='\n')
|
|
||||||
ret[strlen(ret)-1]=0;
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -ur iptables-1.2.11.orig/extensions/libipt_rpc.c iptables-1.2.11/extensions/libipt_rpc.c
|
|
||||||
--- iptables-1.2.11.orig/extensions/libipt_rpc.c 2004-09-05 11:27:50.000000000 -0400
|
|
||||||
+++ iptables-1.2.11/extensions/libipt_rpc.c 2004-09-05 11:41:11.000000000 -0400
|
|
||||||
@@ -252,7 +252,7 @@
|
|
||||||
|
|
||||||
idup = 0;
|
|
||||||
memset(buf, 0, sizeof(buf));
|
|
||||||
- dst = (char *)buf - 1;
|
|
||||||
+ dst = (char *)buf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
--- iptables-1.2.11/iptables.c.free 2004-08-25 19:10:34.098917816 +0200
|
|
||||||
+++ iptables-1.2.11/iptables.c 2004-08-25 19:12:42.366228649 +0200
|
|
||||||
@@ -2344,11 +2344,11 @@
|
|
||||||
e = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- for (c = 0; c < nsaddrs; c++)
|
|
||||||
- free(&saddrs[c]);
|
|
||||||
+ /* free the whole array - allocated with calloc */
|
|
||||||
+ free(saddrs);
|
|
||||||
|
|
||||||
- for (c = 0; c < ndaddrs; c++)
|
|
||||||
- free(&daddrs[c]);
|
|
||||||
+ /* free the whole array - allocated with calloc */
|
|
||||||
+ free(daddrs);
|
|
||||||
|
|
||||||
if (opts != original_opts) {
|
|
||||||
free(opts);
|
|
@ -1,13 +0,0 @@
|
|||||||
--- iptables-1.2.9/libipq/libipq.c.netlink 2003-12-05 17:00:07.000000000 +0100
|
|
||||||
+++ iptables-1.2.9/libipq/libipq.c 2003-12-05 17:00:39.000000000 +0100
|
|
||||||
@@ -171,6 +171,10 @@
|
|
||||||
ipq_errno = IPQ_ERR_RECV;
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+ if (h->peer.nl_pid != 0) {
|
|
||||||
+ ipq_errno = IPQ_ERR_RECV;
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
if (status == 0) {
|
|
||||||
ipq_errno = IPQ_ERR_NLEOF;
|
|
||||||
return -1;
|
|
@ -1,42 +0,0 @@
|
|||||||
--- iptables-1.2.9/ip6tables.c.selinux 2004-01-25 13:39:58.652465653 -0500
|
|
||||||
+++ iptables-1.2.9/ip6tables.c 2004-01-25 13:52:50.291335019 -0500
|
|
||||||
@@ -1587,6 +1587,7 @@
|
|
||||||
{
|
|
||||||
char *buf = NULL;
|
|
||||||
char *argv[3];
|
|
||||||
+ int i=0;
|
|
||||||
|
|
||||||
/* If they don't explicitly set it, read out of kernel */
|
|
||||||
if (!modprobe) {
|
|
||||||
@@ -1598,6 +1599,10 @@
|
|
||||||
|
|
||||||
switch (fork()) {
|
|
||||||
case 0:
|
|
||||||
+ /* close open file descriptors */
|
|
||||||
+ for (i=0; i< 10; i++) {
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
argv[0] = (char *)modprobe;
|
|
||||||
argv[1] = (char *)modname;
|
|
||||||
argv[2] = NULL;
|
|
||||||
--- iptables-1.2.9/iptables.c.selinux 2004-01-25 13:39:58.702460379 -0500
|
|
||||||
+++ iptables-1.2.9/iptables.c 2004-01-25 13:52:55.940802957 -0500
|
|
||||||
@@ -1583,6 +1583,7 @@
|
|
||||||
{
|
|
||||||
char *buf = NULL;
|
|
||||||
char *argv[3];
|
|
||||||
+ int i=0;
|
|
||||||
|
|
||||||
/* If they don't explicitly set it, read out of kernel */
|
|
||||||
if (!modprobe) {
|
|
||||||
@@ -1594,6 +1595,10 @@
|
|
||||||
|
|
||||||
switch (fork()) {
|
|
||||||
case 0:
|
|
||||||
+ /* close open file descriptors */
|
|
||||||
+ for (i=0; i< 10; i++) {
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
argv[0] = (char *)modprobe;
|
|
||||||
argv[1] = (char *)modname;
|
|
||||||
argv[2] = NULL;
|
|
@ -1,11 +0,0 @@
|
|||||||
--- iptables-1.3.0/ip6tables.c.autoload 2005-02-21 17:52:46.502379964 +0100
|
|
||||||
+++ iptables-1.3.0/ip6tables.c 2005-02-21 18:01:38.113422285 +0100
|
|
||||||
@@ -1589,7 +1589,7 @@
|
|
||||||
if (procfile < 0)
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
- ret = malloc(PROCFILE_BUFSIZ);
|
|
||||||
+ ret = (char *) malloc(PROCFILE_BUFSIZ);
|
|
||||||
if (ret) {
|
|
||||||
memset(ret, 0, PROCFILE_BUFSIZ);
|
|
||||||
switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
|
|
@ -1,74 +0,0 @@
|
|||||||
--- iptables-1.3.0/extensions/libipt_rpc.c.cleanup 2005-11-09 16:37:34.000000000 +0100
|
|
||||||
+++ iptables-1.3.0/extensions/libipt_rpc.c 2005-11-09 16:37:38.000000000 +0100
|
|
||||||
@@ -205,7 +205,7 @@
|
|
||||||
|
|
||||||
memset(buf, 0, sizeof(buf));
|
|
||||||
|
|
||||||
- for (src=string, dst=buf; term != 1 ; src++, dst++) {
|
|
||||||
+ for (src=string, dst=buf; term != 1 ; src++) {
|
|
||||||
|
|
||||||
if ( *src != ',' && *src != '\0' ) {
|
|
||||||
if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) {
|
|
||||||
@@ -220,7 +220,7 @@
|
|
||||||
string, src - string + 1);
|
|
||||||
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+ dst++;
|
|
||||||
} else {
|
|
||||||
*dst = '\0';
|
|
||||||
if ( idup == 1 ) {
|
|
||||||
--- iptables-1.3.0/extensions/libipt_rpc.c.cleanup 2005-03-18 16:25:34.174370567 +0100
|
|
||||||
+++ iptables-1.3.0/extensions/libipt_rpc.c 2005-03-18 16:25:32.000000000 +0100
|
|
||||||
@@ -252,7 +252,7 @@
|
|
||||||
|
|
||||||
idup = 0;
|
|
||||||
memset(buf, 0, sizeof(buf));
|
|
||||||
- dst = (char *)buf - 1;
|
|
||||||
+ dst = (char *)buf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--- iptables-1.3.0/extensions/libipt_REJECT.c.cleanup 2005-03-18 16:29:21.611549462 +0100
|
|
||||||
+++ iptables-1.3.0/extensions/libipt_REJECT.c 2005-03-18 16:31:26.951045260 +0100
|
|
||||||
@@ -147,13 +147,16 @@
|
|
||||||
{
|
|
||||||
const struct ipt_reject_info *reject
|
|
||||||
= (const struct ipt_reject_info *)target->data;
|
|
||||||
- unsigned int i;
|
|
||||||
+ unsigned int i, limit=sizeof(reject_table)/sizeof(struct reject_names);
|
|
||||||
|
|
||||||
- for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++) {
|
|
||||||
+ for (i = 0; i < limit; i++) {
|
|
||||||
if (reject_table[i].with == reject->with)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- printf("reject-with %s ", reject_table[i].name);
|
|
||||||
+ if (i < limit)
|
|
||||||
+ printf("reject-with %s ", reject_table[i].name);
|
|
||||||
+ else
|
|
||||||
+ fprintf(stderr, "reject-with: error reject->with not found ");
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Saves ipt_reject in parsable form to stdout. */
|
|
||||||
@@ -161,13 +164,16 @@
|
|
||||||
{
|
|
||||||
const struct ipt_reject_info *reject
|
|
||||||
= (const struct ipt_reject_info *)target->data;
|
|
||||||
- unsigned int i;
|
|
||||||
+ unsigned int i, limit=sizeof(reject_table)/sizeof(struct reject_names);
|
|
||||||
|
|
||||||
- for (i = 0; i < sizeof(reject_table)/sizeof(struct reject_names); i++)
|
|
||||||
+ for (i = 0; i < limit; i++) {
|
|
||||||
if (reject_table[i].with == reject->with)
|
|
||||||
break;
|
|
||||||
-
|
|
||||||
- printf("--reject-with %s ", reject_table[i].name);
|
|
||||||
+ }
|
|
||||||
+ if (i < limit)
|
|
||||||
+ printf("--reject-with %s ", reject_table[i].name);
|
|
||||||
+ else
|
|
||||||
+ fprintf(stderr, "--reject-with error reject->with not found");
|
|
||||||
}
|
|
||||||
|
|
||||||
static struct iptables_target reject = {
|
|
@ -1,11 +0,0 @@
|
|||||||
--- iptables-1.3.0/iptables.c.no_root 2005-03-18 17:29:57.109501987 +0100
|
|
||||||
+++ iptables-1.3.0/iptables.c 2005-03-18 17:29:58.321405982 +0100
|
|
||||||
@@ -2300,7 +2300,7 @@
|
|
||||||
*handle = iptc_init(*table);
|
|
||||||
|
|
||||||
if (!*handle)
|
|
||||||
- exit_error(VERSION_PROBLEM,
|
|
||||||
+ exit_error(errno == EPERM ? OTHER_PROBLEM : VERSION_PROBLEM,
|
|
||||||
"can't initialize iptables table `%s': %s",
|
|
||||||
*table, iptc_strerror(errno));
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
--- iptables-1.3.0/ip6tables.c.selinux 2005-01-04 11:38:39.000000000 +0100
|
|
||||||
+++ iptables-1.3.0/ip6tables.c 2005-02-21 17:51:24.811668259 +0100
|
|
||||||
@@ -1612,6 +1612,7 @@
|
|
||||||
char *buf = NULL;
|
|
||||||
char *argv[3];
|
|
||||||
int status;
|
|
||||||
+ int i = 0;
|
|
||||||
|
|
||||||
/* If they don't explicitly set it, read out of kernel */
|
|
||||||
if (!modprobe) {
|
|
||||||
@@ -1623,6 +1624,10 @@
|
|
||||||
|
|
||||||
switch (fork()) {
|
|
||||||
case 0:
|
|
||||||
+ /* close open file descriptors */
|
|
||||||
+ for (i=0; i< 10; i++) {
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
argv[0] = (char *)modprobe;
|
|
||||||
argv[1] = (char *)modname;
|
|
||||||
argv[2] = NULL;
|
|
||||||
--- iptables-1.3.0/iptables.c.selinux 2005-01-04 11:38:38.000000000 +0100
|
|
||||||
+++ iptables-1.3.0/iptables.c 2005-02-21 17:51:33.409499635 +0100
|
|
||||||
@@ -1708,6 +1708,7 @@
|
|
||||||
char *buf = NULL;
|
|
||||||
char *argv[3];
|
|
||||||
int status;
|
|
||||||
+ int i = 0;
|
|
||||||
|
|
||||||
/* If they don't explicitly set it, read out of kernel */
|
|
||||||
if (!modprobe) {
|
|
||||||
@@ -1719,6 +1720,10 @@
|
|
||||||
|
|
||||||
switch (fork()) {
|
|
||||||
case 0:
|
|
||||||
+ /* close open file descriptors */
|
|
||||||
+ for (i=0; i< 10; i++) {
|
|
||||||
+ close(i);
|
|
||||||
+ }
|
|
||||||
argv[0] = (char *)modprobe;
|
|
||||||
argv[1] = (char *)modname;
|
|
||||||
argv[2] = NULL;
|
|
@ -1,20 +0,0 @@
|
|||||||
--- iptables-1.3.2/iptables.c.free_opts 2005-07-18 14:06:41.000000000 +0200
|
|
||||||
+++ iptables-1.3.2/iptables.c 2005-07-18 14:06:40.000000000 +0200
|
|
||||||
@@ -1028,9 +1028,6 @@
|
|
||||||
unsigned int num_old, num_new, i;
|
|
||||||
struct option *merge;
|
|
||||||
|
|
||||||
- /* Release previous options merged if any */
|
|
||||||
- free_opts(0);
|
|
||||||
-
|
|
||||||
for (num_old = 0; oldopts[num_old].name; num_old++);
|
|
||||||
for (num_new = 0; newopts[num_new].name; num_new++);
|
|
||||||
|
|
||||||
@@ -1039,6 +1036,7 @@
|
|
||||||
|
|
||||||
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
|
|
||||||
memcpy(merge, oldopts, num_old * sizeof(struct option));
|
|
||||||
+ free_opts(0); /* Release previous options merged if any */
|
|
||||||
for (i = 0; i < num_new; i++) {
|
|
||||||
merge[num_old + i] = newopts[i];
|
|
||||||
merge[num_old + i].val += *option_offset;
|
|
@ -1,699 +0,0 @@
|
|||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libip6t_CONNSECMARK.c iptables-1.3.5/extensions/libip6t_CONNSECMARK.c
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libip6t_CONNSECMARK.c 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libip6t_CONNSECMARK.c 2006-09-07 15:09:40.000000000 +0200
|
|
||||||
@@ -0,0 +1,124 @@
|
|
||||||
+/*
|
|
||||||
+ * Shared library add-on to ip6tables to add CONNSECMARK target support.
|
|
||||||
+ *
|
|
||||||
+ * Based on the MARK and CONNMARK targets.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
||||||
+ */
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <getopt.h>
|
|
||||||
+#include <ip6tables.h>
|
|
||||||
+#include <linux/netfilter/xt_CONNSECMARK.h>
|
|
||||||
+
|
|
||||||
+#define PFX "CONNSECMARK target: "
|
|
||||||
+
|
|
||||||
+static void help(void)
|
|
||||||
+{
|
|
||||||
+ printf(
|
|
||||||
+"CONNSECMARK target v%s options:\n"
|
|
||||||
+" --save Copy security mark from packet to conntrack\n"
|
|
||||||
+" --restore Copy security mark from connection to packet\n"
|
|
||||||
+"\n",
|
|
||||||
+IPTABLES_VERSION);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct option opts[] = {
|
|
||||||
+ { "save", 0, 0, '1' },
|
|
||||||
+ { "restore", 0, 0, '2' },
|
|
||||||
+ { 0 }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
+ const struct ip6t_entry *entry, struct ip6t_entry_target **target)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)(*target)->data;
|
|
||||||
+
|
|
||||||
+ switch (c) {
|
|
||||||
+ case '1':
|
|
||||||
+ if (*flags & CONNSECMARK_SAVE)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --save twice");
|
|
||||||
+ info->mode = CONNSECMARK_SAVE;
|
|
||||||
+ *flags |= CONNSECMARK_SAVE;
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case '2':
|
|
||||||
+ if (*flags & CONNSECMARK_RESTORE)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --restore twice");
|
|
||||||
+ info->mode = CONNSECMARK_RESTORE;
|
|
||||||
+ *flags |= CONNSECMARK_RESTORE;
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void final_check(unsigned int flags)
|
|
||||||
+{
|
|
||||||
+ if (!flags)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
|
|
||||||
+
|
|
||||||
+ if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
|
|
||||||
+ "or --restore is allowed");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print_connsecmark(struct xt_connsecmark_target_info *info)
|
|
||||||
+{
|
|
||||||
+ switch (info->mode) {
|
|
||||||
+ case CONNSECMARK_SAVE:
|
|
||||||
+ printf("save ");
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case CONNSECMARK_RESTORE:
|
|
||||||
+ printf("restore ");
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print(const struct ip6t_ip6 *ip,
|
|
||||||
+ const struct ip6t_entry_target *target, int numeric)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)(target)->data;
|
|
||||||
+
|
|
||||||
+ printf("CONNSECMARK ");
|
|
||||||
+ print_connsecmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)target->data;
|
|
||||||
+
|
|
||||||
+ printf("--");
|
|
||||||
+ print_connsecmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct ip6tables_target connsecmark = {
|
|
||||||
+ .name = "CONNSECMARK",
|
|
||||||
+ .version = IPTABLES_VERSION,
|
|
||||||
+ .size = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
|
|
||||||
+ .userspacesize = IP6T_ALIGN(sizeof(struct xt_connsecmark_target_info)),
|
|
||||||
+ .parse = &parse,
|
|
||||||
+ .help = &help,
|
|
||||||
+ .final_check = &final_check,
|
|
||||||
+ .print = &print,
|
|
||||||
+ .save = &save,
|
|
||||||
+ .extra_opts = opts
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+void _init(void)
|
|
||||||
+{
|
|
||||||
+ register_target6(&connsecmark);
|
|
||||||
+}
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libip6t_CONNSECMARK.man iptables-1.3.5/extensions/libip6t_CONNSECMARK.man
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libip6t_CONNSECMARK.man 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libip6t_CONNSECMARK.man 2006-09-07 15:09:40.000000000 +0200
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+This module copies security markings from packets to connections
|
|
||||||
+(if unlabeled), and from connections back to packets (also only
|
|
||||||
+if unlabeled). Typically used in conjunction with SECMARK, it is
|
|
||||||
+only valid in the
|
|
||||||
+.B mangle
|
|
||||||
+table.
|
|
||||||
+.TP
|
|
||||||
+.B --save
|
|
||||||
+If the packet has a security marking, copy it to the connection
|
|
||||||
+if the connection is not marked.
|
|
||||||
+.TP
|
|
||||||
+.B --restore
|
|
||||||
+If the packet does not have a security marking, and the connection
|
|
||||||
+does, copy the security marking from the connection to the packet.
|
|
||||||
+
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libip6t_SECMARK.c iptables-1.3.5/extensions/libip6t_SECMARK.c
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libip6t_SECMARK.c 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libip6t_SECMARK.c 2006-09-07 15:09:32.000000000 +0200
|
|
||||||
@@ -0,0 +1,125 @@
|
|
||||||
+/*
|
|
||||||
+ * Shared library add-on to iptables to add SECMARK target support.
|
|
||||||
+ *
|
|
||||||
+ * Based on the MARK target.
|
|
||||||
+ *
|
|
||||||
+ * IPv6 version.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
||||||
+ */
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <getopt.h>
|
|
||||||
+#include <ip6tables.h>
|
|
||||||
+#include <linux/netfilter/xt_SECMARK.h>
|
|
||||||
+
|
|
||||||
+#define PFX "SECMARK target: "
|
|
||||||
+
|
|
||||||
+static void help(void)
|
|
||||||
+{
|
|
||||||
+ printf(
|
|
||||||
+"SECMARK target v%s options:\n"
|
|
||||||
+" --selctx value Set the SELinux security context\n"
|
|
||||||
+"\n",
|
|
||||||
+IPTABLES_VERSION);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct option opts[] = {
|
|
||||||
+ { "selctx", 1, 0, '1' },
|
|
||||||
+ { 0 }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/* Initialize the target. */
|
|
||||||
+static void init(struct ip6t_entry_target *t, unsigned int *nfcache)
|
|
||||||
+{ }
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Function which parses command options; returns true if it
|
|
||||||
+ * ate an option.
|
|
||||||
+ */
|
|
||||||
+static int parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
+ const struct ip6t_entry *entry, struct ip6t_entry_target **target)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)(*target)->data;
|
|
||||||
+
|
|
||||||
+ switch (c) {
|
|
||||||
+ case '1':
|
|
||||||
+ if (*flags & SECMARK_MODE_SEL)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --selctx twice");
|
|
||||||
+ info->mode = SECMARK_MODE_SEL;
|
|
||||||
+
|
|
||||||
+ if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Maximum length %u exceeded by --selctx"
|
|
||||||
+ " parameter (%zu)",
|
|
||||||
+ SECMARK_SELCTX_MAX-1, strlen(optarg));
|
|
||||||
+
|
|
||||||
+ strcpy(info->u.sel.selctx, optarg);
|
|
||||||
+ *flags |= SECMARK_MODE_SEL;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void final_check(unsigned int flags)
|
|
||||||
+{
|
|
||||||
+ if (!flags)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print_secmark(struct xt_secmark_target_info *info)
|
|
||||||
+{
|
|
||||||
+ switch (info->mode) {
|
|
||||||
+ case SECMARK_MODE_SEL:
|
|
||||||
+ printf("selctx %s ", info->u.sel.selctx);\
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print(const struct ip6t_ip6 *ip,
|
|
||||||
+ const struct ip6t_entry_target *target, int numeric)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)(target)->data;
|
|
||||||
+
|
|
||||||
+ printf("SECMARK ");
|
|
||||||
+ print_secmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Saves the target info in parsable form to stdout. */
|
|
||||||
+static void save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)target->data;
|
|
||||||
+
|
|
||||||
+ printf("--");
|
|
||||||
+ print_secmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct ip6tables_target secmark = {
|
|
||||||
+ .name = "SECMARK",
|
|
||||||
+ .version = IPTABLES_VERSION,
|
|
||||||
+ .size = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
||||||
+ .userspacesize = IP6T_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
||||||
+ .help = &help,
|
|
||||||
+ .init = &init,
|
|
||||||
+ .parse = &parse,
|
|
||||||
+ .final_check = &final_check,
|
|
||||||
+ .print = &print,
|
|
||||||
+ .save = &save,
|
|
||||||
+ .extra_opts = opts
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+void _init(void)
|
|
||||||
+{
|
|
||||||
+ register_target6(&secmark);
|
|
||||||
+}
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libip6t_SECMARK.man iptables-1.3.5/extensions/libip6t_SECMARK.man
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libip6t_SECMARK.man 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libip6t_SECMARK.man 2006-09-07 15:09:32.000000000 +0200
|
|
||||||
@@ -0,0 +1,7 @@
|
|
||||||
+This is used to set the security mark value associated with the
|
|
||||||
+packet for use by security subsystems such as SELinux. It is only
|
|
||||||
+valid in the
|
|
||||||
+.B mangle
|
|
||||||
+table.
|
|
||||||
+.TP
|
|
||||||
+.BI "--selctx " "security_context"
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libipt_CONNSECMARK.c iptables-1.3.5/extensions/libipt_CONNSECMARK.c
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libipt_CONNSECMARK.c 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libipt_CONNSECMARK.c 2006-09-07 15:09:36.000000000 +0200
|
|
||||||
@@ -0,0 +1,126 @@
|
|
||||||
+/*
|
|
||||||
+ * Shared library add-on to iptables to add CONNSECMARK target support.
|
|
||||||
+ *
|
|
||||||
+ * Based on the MARK and CONNMARK targets.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
||||||
+ */
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <getopt.h>
|
|
||||||
+#include <iptables.h>
|
|
||||||
+#include <linux/netfilter/xt_CONNSECMARK.h>
|
|
||||||
+
|
|
||||||
+#define PFX "CONNSECMARK target: "
|
|
||||||
+
|
|
||||||
+static void help(void)
|
|
||||||
+{
|
|
||||||
+ printf(
|
|
||||||
+"CONNSECMARK target v%s options:\n"
|
|
||||||
+" --save Copy security mark from packet to conntrack\n"
|
|
||||||
+" --restore Copy security mark from connection to packet\n"
|
|
||||||
+"\n",
|
|
||||||
+IPTABLES_VERSION);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct option opts[] = {
|
|
||||||
+ { "save", 0, 0, '1' },
|
|
||||||
+ { "restore", 0, 0, '2' },
|
|
||||||
+ { 0 }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
+ const struct ipt_entry *entry, struct ipt_entry_target **target)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)(*target)->data;
|
|
||||||
+
|
|
||||||
+ switch (c) {
|
|
||||||
+ case '1':
|
|
||||||
+ if (*flags & CONNSECMARK_SAVE)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --save twice");
|
|
||||||
+ info->mode = CONNSECMARK_SAVE;
|
|
||||||
+ *flags |= CONNSECMARK_SAVE;
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case '2':
|
|
||||||
+ if (*flags & CONNSECMARK_RESTORE)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --restore twice");
|
|
||||||
+ info->mode = CONNSECMARK_RESTORE;
|
|
||||||
+ *flags |= CONNSECMARK_RESTORE;
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void final_check(unsigned int flags)
|
|
||||||
+{
|
|
||||||
+ if (!flags)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
|
|
||||||
+
|
|
||||||
+ if (flags == (CONNSECMARK_SAVE|CONNSECMARK_RESTORE))
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "only one flag of --save "
|
|
||||||
+ "or --restore is allowed");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print_connsecmark(struct xt_connsecmark_target_info *info)
|
|
||||||
+{
|
|
||||||
+ switch (info->mode) {
|
|
||||||
+ case CONNSECMARK_SAVE:
|
|
||||||
+ printf("save ");
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ case CONNSECMARK_RESTORE:
|
|
||||||
+ printf("restore ");
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print(const struct ipt_ip *ip,
|
|
||||||
+ const struct ipt_entry_target *target, int numeric)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)(target)->data;
|
|
||||||
+
|
|
||||||
+ printf("CONNSECMARK ");
|
|
||||||
+ print_connsecmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
|
|
||||||
+{
|
|
||||||
+ struct xt_connsecmark_target_info *info =
|
|
||||||
+ (struct xt_connsecmark_target_info*)target->data;
|
|
||||||
+
|
|
||||||
+ printf("--");
|
|
||||||
+ print_connsecmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct iptables_target connsecmark = {
|
|
||||||
+ .next = NULL,
|
|
||||||
+ .name = "CONNSECMARK",
|
|
||||||
+ .version = IPTABLES_VERSION,
|
|
||||||
+ .revision = 0,
|
|
||||||
+ .size = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
|
|
||||||
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_connsecmark_target_info)),
|
|
||||||
+ .parse = &parse,
|
|
||||||
+ .help = &help,
|
|
||||||
+ .final_check = &final_check,
|
|
||||||
+ .print = &print,
|
|
||||||
+ .save = &save,
|
|
||||||
+ .extra_opts = opts
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+void _init(void)
|
|
||||||
+{
|
|
||||||
+ register_target(&connsecmark);
|
|
||||||
+}
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libipt_CONNSECMARK.man iptables-1.3.5/extensions/libipt_CONNSECMARK.man
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libipt_CONNSECMARK.man 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libipt_CONNSECMARK.man 2006-09-07 15:09:36.000000000 +0200
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+This module copies security markings from packets to connections
|
|
||||||
+(if unlabeled), and from connections back to packets (also only
|
|
||||||
+if unlabeled). Typically used in conjunction with SECMARK, it is
|
|
||||||
+only valid in the
|
|
||||||
+.B mangle
|
|
||||||
+table.
|
|
||||||
+.TP
|
|
||||||
+.B --save
|
|
||||||
+If the packet has a security marking, copy it to the connection
|
|
||||||
+if the connection is not marked.
|
|
||||||
+.TP
|
|
||||||
+.B --restore
|
|
||||||
+If the packet does not have a security marking, and the connection
|
|
||||||
+does, copy the security marking from the connection to the packet.
|
|
||||||
+
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libipt_SECMARK.c iptables-1.3.5/extensions/libipt_SECMARK.c
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libipt_SECMARK.c 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libipt_SECMARK.c 2006-09-07 15:09:24.000000000 +0200
|
|
||||||
@@ -0,0 +1,125 @@
|
|
||||||
+/*
|
|
||||||
+ * Shared library add-on to iptables to add SECMARK target support.
|
|
||||||
+ *
|
|
||||||
+ * Based on the MARK target.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
||||||
+ */
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <getopt.h>
|
|
||||||
+#include <iptables.h>
|
|
||||||
+#include <linux/netfilter/xt_SECMARK.h>
|
|
||||||
+
|
|
||||||
+#define PFX "SECMARK target: "
|
|
||||||
+
|
|
||||||
+static void help(void)
|
|
||||||
+{
|
|
||||||
+ printf(
|
|
||||||
+"SECMARK target v%s options:\n"
|
|
||||||
+" --selctx value Set the SELinux security context\n"
|
|
||||||
+"\n",
|
|
||||||
+IPTABLES_VERSION);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct option opts[] = {
|
|
||||||
+ { "selctx", 1, 0, '1' },
|
|
||||||
+ { 0 }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/* Initialize the target. */
|
|
||||||
+static void init(struct ipt_entry_target *t, unsigned int *nfcache)
|
|
||||||
+{ }
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Function which parses command options; returns true if it
|
|
||||||
+ * ate an option.
|
|
||||||
+ */
|
|
||||||
+static int parse(int c, char **argv, int invert, unsigned int *flags,
|
|
||||||
+ const struct ipt_entry *entry, struct ipt_entry_target **target)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)(*target)->data;
|
|
||||||
+
|
|
||||||
+ switch (c) {
|
|
||||||
+ case '1':
|
|
||||||
+ if (*flags & SECMARK_MODE_SEL)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Can't specify --selctx twice");
|
|
||||||
+ info->mode = SECMARK_MODE_SEL;
|
|
||||||
+
|
|
||||||
+ if (strlen(optarg) > SECMARK_SELCTX_MAX-1)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX
|
|
||||||
+ "Maximum length %u exceeded by --selctx"
|
|
||||||
+ " parameter (%zu)",
|
|
||||||
+ SECMARK_SELCTX_MAX-1, strlen(optarg));
|
|
||||||
+
|
|
||||||
+ strcpy(info->u.sel.selctx, optarg);
|
|
||||||
+ *flags |= SECMARK_MODE_SEL;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void final_check(unsigned int flags)
|
|
||||||
+{
|
|
||||||
+ if (!flags)
|
|
||||||
+ exit_error(PARAMETER_PROBLEM, PFX "parameter required");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print_secmark(struct xt_secmark_target_info *info)
|
|
||||||
+{
|
|
||||||
+ switch (info->mode) {
|
|
||||||
+ case SECMARK_MODE_SEL:
|
|
||||||
+ printf("selctx %s ", info->u.sel.selctx);\
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ default:
|
|
||||||
+ exit_error(OTHER_PROBLEM, PFX "invalid mode %hhu\n", info->mode);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void print(const struct ipt_ip *ip,
|
|
||||||
+ const struct ipt_entry_target *target, int numeric)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)(target)->data;
|
|
||||||
+
|
|
||||||
+ printf("SECMARK ");
|
|
||||||
+ print_secmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Saves the target info in parsable form to stdout. */
|
|
||||||
+static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
|
|
||||||
+{
|
|
||||||
+ struct xt_secmark_target_info *info =
|
|
||||||
+ (struct xt_secmark_target_info*)target->data;
|
|
||||||
+
|
|
||||||
+ printf("--");
|
|
||||||
+ print_secmark(info);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static struct iptables_target secmark = {
|
|
||||||
+ .next = NULL,
|
|
||||||
+ .name = "SECMARK",
|
|
||||||
+ .version = IPTABLES_VERSION,
|
|
||||||
+ .revision = 0,
|
|
||||||
+ .size = IPT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
||||||
+ .userspacesize = IPT_ALIGN(sizeof(struct xt_secmark_target_info)),
|
|
||||||
+ .help = &help,
|
|
||||||
+ .init = &init,
|
|
||||||
+ .parse = &parse,
|
|
||||||
+ .final_check = &final_check,
|
|
||||||
+ .print = &print,
|
|
||||||
+ .save = &save,
|
|
||||||
+ .extra_opts = opts
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+void _init(void)
|
|
||||||
+{
|
|
||||||
+ register_target(&secmark);
|
|
||||||
+}
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/libipt_SECMARK.man iptables-1.3.5/extensions/libipt_SECMARK.man
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/libipt_SECMARK.man 1970-01-01 01:00:00.000000000 +0100
|
|
||||||
+++ iptables-1.3.5/extensions/libipt_SECMARK.man 2006-09-07 15:09:24.000000000 +0200
|
|
||||||
@@ -0,0 +1,7 @@
|
|
||||||
+This is used to set the security mark value associated with the
|
|
||||||
+packet for use by security subsystems such as SELinux. It is only
|
|
||||||
+valid in the
|
|
||||||
+.B mangle
|
|
||||||
+table.
|
|
||||||
+.TP
|
|
||||||
+.BI "--selctx " "security_context"
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/extensions/Makefile iptables-1.3.5/extensions/Makefile
|
|
||||||
--- iptables-1.3.5.no_secmark/extensions/Makefile 2006-09-07 14:48:35.000000000 +0200
|
|
||||||
+++ iptables-1.3.5/extensions/Makefile 2006-09-07 15:09:40.000000000 +0200
|
|
||||||
@@ -8,6 +8,11 @@
|
|
||||||
PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
|
|
||||||
PF6_EXT_SLIB:=connmark eui64 hl icmpv6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
|
|
||||||
|
|
||||||
+ifeq ($(DO_SELINUX), 1)
|
|
||||||
+PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
|
|
||||||
+PF6_EXT_SE_SLIB:=SECMARK CONNSECMARK
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
# Optionals
|
|
||||||
PF_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
|
|
||||||
PF6_EXT_SLIB_OPTS:=$(foreach T,$(wildcard extensions/.*-test6),$(shell KERNEL_DIR=$(KERNEL_DIR) $(T)))
|
|
||||||
@@ -43,26 +48,34 @@
|
|
||||||
|
|
||||||
ifndef NO_SHARED_LIBS
|
|
||||||
SHARED_LIBS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).so)
|
|
||||||
+SHARED_SE_LIBS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).so)
|
|
||||||
EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
|
|
||||||
+EXTRA_INSTALLS+=$(foreach T, $(PF_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libipt_$(T).so)
|
|
||||||
|
|
||||||
ifeq ($(DO_IPV6), 1)
|
|
||||||
SHARED_LIBS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).so)
|
|
||||||
+SHARED_SE_LIBS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).so)
|
|
||||||
EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
|
|
||||||
+EXTRA_INSTALLS+=$(foreach T, $(PF6_EXT_SE_SLIB), $(DESTDIR)$(LIBDIR)/iptables/libip6t_$(T).so)
|
|
||||||
endif
|
|
||||||
else # NO_SHARED_LIBS
|
|
||||||
EXT_OBJS+=$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).o)
|
|
||||||
+EXT_OBJS+=$(foreach T,$(PF_EXT_SE_SLIB),extensions/libipt_$(T).o)
|
|
||||||
EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
|
|
||||||
+EXT_FUNC+=$(foreach T,$(PF_EXT_SE_SLIB),ipt_$(T))
|
|
||||||
EXT_OBJS+= extensions/initext.o
|
|
||||||
ifeq ($(DO_IPV6), 1)
|
|
||||||
EXT6_OBJS+=$(foreach T,$(PF6_EXT_SLIB),extensions/libip6t_$(T).o)
|
|
||||||
+EXT6_OBJS+=$(foreach T,$(PF6_EXT_SE_SLIB),extensions/libip6t_$(T).o)
|
|
||||||
EXT6_FUNC+=$(foreach T,$(PF6_EXT_SLIB),ip6t_$(T))
|
|
||||||
+EXT6_FUNC+=$(foreach T,$(PF6_EXT_SE_SLIB),ip6t_$(T))
|
|
||||||
EXT6_OBJS+= extensions/initext6.o
|
|
||||||
endif # DO_IPV6
|
|
||||||
endif # NO_SHARED_LIBS
|
|
||||||
|
|
||||||
ifndef TOPLEVEL_INCLUDED
|
|
||||||
local:
|
|
||||||
- cd .. && $(MAKE) $(SHARED_LIBS)
|
|
||||||
+ cd .. && $(MAKE) $(SHARED_LIBS) $(SHARED_SE_LIBS)
|
|
||||||
endif
|
|
||||||
|
|
||||||
ifdef NO_SHARED_LIBS
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/Makefile iptables-1.3.5/Makefile
|
|
||||||
--- iptables-1.3.5.no_secmark/Makefile 2006-09-07 14:48:34.000000000 +0200
|
|
||||||
+++ iptables-1.3.5/Makefile 2006-09-07 15:08:41.000000000 +0200
|
|
||||||
@@ -31,6 +31,11 @@
|
|
||||||
DO_IPV6:=1
|
|
||||||
endif
|
|
||||||
|
|
||||||
+# Enable linking to libselinux via enviornment 'DO_SELINUX=1'
|
|
||||||
+ifndef DO_SELINUX
|
|
||||||
+DO_SELINUX=0
|
|
||||||
+endif
|
|
||||||
+
|
|
||||||
COPT_FLAGS:=-O2
|
|
||||||
CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUG
|
|
||||||
|
|
||||||
@@ -93,17 +98,24 @@
|
|
||||||
|
|
||||||
ifndef NO_SHARED_LIBS
|
|
||||||
DEPFILES = $(SHARED_LIBS:%.so=%.d)
|
|
||||||
+DEPFILES += $(SHARED_SE_LIBS:%.so=%.d)
|
|
||||||
SH_CFLAGS:=$(CFLAGS) -fPIC
|
|
||||||
STATIC_LIBS =
|
|
||||||
STATIC6_LIBS =
|
|
||||||
LDFLAGS = -rdynamic
|
|
||||||
LDLIBS = -ldl
|
|
||||||
+ifeq ($(DO_SELINUX), 1)
|
|
||||||
+LDLIBS += -lselinux
|
|
||||||
+endif
|
|
||||||
else
|
|
||||||
DEPFILES = $(EXT_OBJS:%.o=%.d)
|
|
||||||
STATIC_LIBS = extensions/libext.a
|
|
||||||
STATIC6_LIBS = extensions/libext6.a
|
|
||||||
LDFLAGS = -static
|
|
||||||
LDLIBS =
|
|
||||||
+ifeq ($(DO_SELINUX), 1)
|
|
||||||
+LDLIBS += -lselinux
|
|
||||||
+endif
|
|
||||||
endif
|
|
||||||
|
|
||||||
.PHONY: default
|
|
||||||
diff -urN iptables-1.3.5.no_secmark/Rules.make iptables-1.3.5/Rules.make
|
|
||||||
--- iptables-1.3.5.no_secmark/Rules.make 2006-09-07 14:48:36.000000000 +0200
|
|
||||||
+++ iptables-1.3.5/Rules.make 2006-09-07 15:08:04.000000000 +0200
|
|
||||||
@@ -1,12 +1,12 @@
|
|
||||||
#! /usr/bin/make
|
|
||||||
|
|
||||||
-all: $(SHARED_LIBS) $(EXTRAS)
|
|
||||||
+all: $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS)
|
|
||||||
|
|
||||||
experimental: $(EXTRAS_EXP)
|
|
||||||
|
|
||||||
# Have to handle extensions which no longer exist.
|
|
||||||
clean: $(EXTRA_CLEANS)
|
|
||||||
- rm -f $(SHARED_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o)
|
|
||||||
+ rm -f $(SHARED_LIBS) $(SHARED_SE_LIBS) $(EXTRAS) $(EXTRAS_EXP) $(SHARED_LIBS:%.so=%_sh.o) $(SHARED_SE_LIBS:%.so=%_sh.o)
|
|
||||||
rm -f extensions/initext.c extensions/initext6.c
|
|
||||||
@find . -name '*.[ao]' -o -name '*.so' | xargs rm -f
|
|
||||||
|
|
||||||
@@ -33,6 +33,13 @@
|
|
||||||
$(SHARED_LIBS): %.so : %_sh.o
|
|
||||||
$(CC) -shared $(EXT_LDFLAGS) -o $@ $<
|
|
||||||
|
|
||||||
+$(SHARED_SE_LIBS:%.so=%.d): %.d: %.c
|
|
||||||
+ @-$(CC) -M -MG $(CFLAGS) $< | \
|
|
||||||
+ sed -e 's@^.*\.o:@$*.d $*_sh.o:@' > $@
|
|
||||||
+
|
|
||||||
+$(SHARED_SE_LIBS): %.so : %_sh.o
|
|
||||||
+ $(LD) -shared $(EXT_LDFLAGS) -o $@ $< $(LDLIBS)
|
|
||||||
+
|
|
||||||
%_sh.o : %.c
|
|
||||||
$(CC) $(SH_CFLAGS) -o $@ -c $<
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
|||||||
--- iptables-1.3.7/Makefile.nolibnsl 2006-12-04 12:16:01.000000000 +0100
|
|
||||||
+++ iptables-1.3.7/Makefile 2007-01-09 19:34:28.000000000 +0100
|
|
||||||
@@ -103,7 +103,7 @@
|
|
||||||
STATIC_LIBS =
|
|
||||||
STATIC6_LIBS =
|
|
||||||
LDFLAGS = -rdynamic
|
|
||||||
-LDLIBS = -ldl -lnsl
|
|
||||||
+LDLIBS = -ldl
|
|
||||||
ifeq ($(DO_SELINUX), 1)
|
|
||||||
LDLIBS += -lselinux
|
|
||||||
endif
|
|
@ -2,18 +2,11 @@
|
|||||||
|
|
||||||
Name: iptables
|
Name: iptables
|
||||||
Summary: Tools for managing Linux kernel packet filtering capabilities.
|
Summary: Tools for managing Linux kernel packet filtering capabilities.
|
||||||
Version: 1.3.7
|
Version: 1.3.8
|
||||||
Release: 2
|
Release: 1
|
||||||
Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
|
Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
|
||||||
Source1: iptables.init
|
Source1: iptables.init
|
||||||
Source2: iptables-config
|
Source2: iptables-config
|
||||||
Patch2: iptables-1.3.7-nolibnsl.patch
|
|
||||||
Patch4: iptables-1.2.9-netlink.patch
|
|
||||||
Patch5: iptables-1.3.0-selinux.patch
|
|
||||||
Patch6: iptables-1.2.10-counters.patch
|
|
||||||
Patch8: iptables-1.3.0-cleanup.patch
|
|
||||||
Patch9: iptables-1.3.0-autoload.patch
|
|
||||||
Patch10: iptables-1.3.0-no_root.patch
|
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
URL: http://www.netfilter.org/
|
URL: http://www.netfilter.org/
|
||||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||||
@ -61,13 +54,6 @@ you should install this package.
|
|||||||
rm -rf %{buildroot}
|
rm -rf %{buildroot}
|
||||||
|
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch2 -p1 -b .nolibnsl
|
|
||||||
%patch4 -p1 -b .netlink
|
|
||||||
%patch5 -p1 -b .selinux
|
|
||||||
%patch6 -p1 -b .counters
|
|
||||||
%patch8 -p1 -b .cleanup
|
|
||||||
%patch9 -p1 -b .autoload
|
|
||||||
%patch10 -p1 -b .no_root
|
|
||||||
|
|
||||||
# Put it to a reasonable place
|
# Put it to a reasonable place
|
||||||
find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \;
|
find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \;
|
||||||
@ -153,6 +139,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 13 2007 Steve Conklin <sconklin@redhat.com> - 1.3.8-1
|
||||||
|
- New version 1.3.8
|
||||||
|
|
||||||
* Mon Apr 23 2007 Jeremy Katz <katzj@redhat.com> - 1.3.7-2
|
* Mon Apr 23 2007 Jeremy Katz <katzj@redhat.com> - 1.3.7-2
|
||||||
- fix error when ipv6 support isn't loaded in the kernel (#236888)
|
- fix error when ipv6 support isn't loaded in the kernel (#236888)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user