iptables branch, master, updated. v1.4.10-85-g2ad8dc8

Patrick McHardy netfilter-cvslog-bounces at lists.netfilter.org
Sun Feb 27 16:19:54 CET 2011


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "iptables".

The branch, master has been updated
       via  2ad8dc895ec28a173c629c695c2e11c41b625b6e (commit)
       via  adcb28101d53c2a7f372de256b1af50804fee899 (commit)
       via  11e250ba02349cb1e34058673db3d0b54eb56c44 (commit)
       via  64230aa45c5ad8505d81812d19bd2ee9a37e3467 (commit)
       via  4b110b426df7bf486a3e7884c56ebb3487023601 (commit)
       via  2d039bcf8421c992fb74849facc2d7205960f68e (commit)
       via  8a5270b14908b3173de080a958e50e21e2f046de (commit)
       via  37f6d57c4e030a459ccafafd8a574e327315e148 (commit)
       via  887f58666af9ccde7051169aa9d6160d7e09ec46 (commit)
      from  094f104af71ca859c7c44406baed401659ad9421 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 2ad8dc895ec28a173c629c695c2e11c41b625b6e
Author: Wes Campaigne <westacular at gmail.com>
Date:   Mon Feb 21 19:10:10 2011 -0500

    xtables: use all IPv6 addresses resolved from a hostname
    
    Fixes a long-standing issue where host_to_ip6addr would only ever
    examine/return the first item of the address chain returned by
    getaddrinfo, instead of traversing the chain and copying each of them.
    
    This has always been how host_to_ip6addr behaves, and all of the other
    related IPv6 code is already written to handle multiple possible
    addresses.
    
    [Style fixups. Removal of redundant i<*naddrs check. -j.eng]
    
    Signed-off-by: Wes Campaigne <westacular at gmail.com>

commit adcb28101d53c2a7f372de256b1af50804fee899
Author: Wes Campaigne <westacular at gmail.com>
Date:   Mon Feb 21 19:10:12 2011 -0500

    xtables: fix the broken detection/removal of redundant addresses
    
    	[To observe this issue, populate a hostname (DNS or local db)
    	with multiple adresses across multiple subnets (cf. prefixlen
    	below)
    
    	# e.g. /etc/hosts
    	127.0.0.2       lo-x
    	127.0.0.3       lo-x
    	127.0.1.4       lo-x
    	127.0.1.5       lo-x
    	127.0.2.6       lo-x
    
    	Then invoke xtables_ipparse_any by e.g. `-m conntrack
    	--ctorigsrc lo-x/24`. -j.eng]
    
    This same block of code, apparently to detect if addresses are
    identical after applying the mask, and to skip the duplicates and the
    ones made redundant by the mask, has been present and unchanged from
    as far back as I could find (circa iptables 1.2).
    
    By inspection, it was wrong, and always has been: once the code finds
    a duplicate, it will drop the rest of the array one by one as it
    re-detects the same duplicate over and over. When the addresses came
    from a single hostname lookup, and their order was random, then this
    created unpredictable behaviour by iptables, which seem to ignore some
    of those addresses at random times.
    
    I suspect the original idea also involved a swap between the duplicate
    and the address from the (current) end of the array, but a line of
    code to do that seems to have never existed. I have finally added it.
    (Well, as much as is needed: there does not need to be a full swap,
    because we are just going to ignore the duplicate, pretend the array
    is one shorter, and never look at the contents of the end again. So,
    we can get away with just copying from the end.)
    
    [Reword comment about shuffle: replace by mentioning tail copy to
    replace dup. -j.eng]
    
    Signed-off-by: Wes Campaigne <westacular at gmail.com>

commit 11e250ba02349cb1e34058673db3d0b54eb56c44
Author: Wes Campaigne <westacular at gmail.com>
Date:   Mon Feb 21 19:10:11 2011 -0500

    xtables: fix excessive memory allocation in host_to_ipaddr
    
    host_to_ipaddr was unnecessarily asking for an array of length n^2 to
    store just n addresses.
    
    Signed-off-by: Wes Campaigne <westacular at gmail.com>

commit 64230aa45c5ad8505d81812d19bd2ee9a37e3467
Author: Wes Campaigne <westacular at gmail.com>
Date:   Mon Feb 21 19:10:10 2011 -0500

    libxtables: avoid confusing use of ai_protocol=IPPROTO_IPV6
    
    [Split hunk from Wes's submission. Added commit message. -j.eng]
    
    ai_protocol normally specifies the L4 protocol one wants to
    specifically inquire about when a service (2nd parameter to
    getaddrinfo) is specified. Such a service lookup would potentially
    yield nothing, because there just is not any "mytunnel 2222/ipv6" in
    /etc/services, since IPPROTO_IPV6 itself is not a protocol with a
    concept of (port-based) services to begin with.
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 4b110b426df7bf486a3e7884c56ebb3487023601
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Mon Feb 21 03:21:18 2011 +0100

    libxtables: fix memory scribble beyond end of array
    
    When using -s "", the "n" variable in the code remains uninitialized
    and usually scribbes beyond the end of the array.
    
    Furthermore, "n" is just as big as entries in the last host lookup.
    When specifying more than one item to -s, e.g. "-s host,host", "n" is
    less than "count", and we are not masking the addresses at all
    (leaving them at addr/32 resp. addr/128).
    
    The issue goes back to the initial code from v1.4.5~21.
    
    References: http://bugs.debian.org/611990
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 2d039bcf8421c992fb74849facc2d7205960f68e
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Mon Feb 21 02:59:50 2011 +0100

    doc: rateest options can be optional
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 8a5270b14908b3173de080a958e50e21e2f046de
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Sun Feb 20 20:30:56 2011 +0100

    libxt_quota: require --quota to be specified
    
    It is pretty pointless to use -m quota without specifying --quota.
    There would be nothing left to count down on.
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 37f6d57c4e030a459ccafafd8a574e327315e148
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Sun Feb 20 17:15:14 2011 +0100

    doc: fix odd partial sentence in libipt_TTL
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

commit 887f58666af9ccde7051169aa9d6160d7e09ec46
Author: Jan Engelhardt <jengelh at medozas.de>
Date:   Sun Feb 20 17:13:03 2011 +0100

    doc: mention other possible nf_loggers for TRACE
    
    Signed-off-by: Jan Engelhardt <jengelh at medozas.de>

-----------------------------------------------------------------------

Summary of changes:
 extensions/libipt_TTL.man    |    6 ++--
 extensions/libxt_TRACE.man   |    8 ++++--
 extensions/libxt_quota.c     |   10 +++++++-
 extensions/libxt_rateest.man |    8 +++---
 xtables.c                    |   55 ++++++++++++++++++++++-------------------
 5 files changed, 50 insertions(+), 37 deletions(-)


hooks/post-receive
-- 
iptables



More information about the netfilter-cvslog mailing list