iptables branch, master, updated. v1.4.10-30-g63ef52a
Pablo Neira Ayuso
netfilter-cvslog-bounces at lists.netfilter.org
Sun Jan 9 20:15:52 CET 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "iptables".
The branch, master has been updated
via 63ef52ac6bf8d555779456166009bd2f6b0a1081 (commit)
via dfbedfedf610210c4ee3f00e9c4f9ea24c4ffe23 (commit)
via e814c8b894e5b8d1570c18aec2c67dfb0c0a59c0 (commit)
via da580fe55ebf234febf4a8880f53a80870e9088f (commit)
via d09b6d591ca7d7d7575cb6aa20384c9830f777ab (commit)
via fa503ad59f73d20d85f4cdf53324a01d2ad8591e (commit)
via 1e128bd804b676ee91beca48312de9b251845d09 (commit)
via 1dc27393b7ba401e6228a5ee2472a6eb72836c43 (commit)
via 5b1fecc7d017df093db7c667bcd1718e45b1df67 (commit)
via 7ac405297ec38449b30e3b05fd6bf2082fd3d803 (commit)
via 4a1d810bb52aa5d5c450f7adcde5145d40261b54 (commit)
via d1435e0772e40c310dff35abe7bf1e7de5b18ee4 (commit)
via f6d6449c88812634e663cef4e09db7b691af3eb5 (commit)
from 3a84b3d5de492e40aff7bae5038b06dd6b6041c4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 63ef52ac6bf8d555779456166009bd2f6b0a1081
Author: Stephen Beahm <stephenbeahm at comcast.net>
Date: Thu Dec 9 06:15:50 2010 -0500
libipt_REDIRECT: avoid dereference of uninitialized pointer
When using --to-ports with a port name instead of a numerical
specification, a segfault occurs.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=691
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit dfbedfedf610210c4ee3f00e9c4f9ea24c4ffe23
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 03:31:04 2011 +0100
libxtables: do some option structure checking
libxt_recent's use of numeric values >200 always looked worrisome. Now
here is a validation routine for such.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit e814c8b894e5b8d1570c18aec2c67dfb0c0a59c0
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 03:16:51 2011 +0100
libipt_CLUSTERIP: const annotations
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit da580fe55ebf234febf4a8880f53a80870e9088f
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 03:16:14 2011 +0100
libxt_sctp: fix a typo
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit d09b6d591ca7d7d7575cb6aa20384c9830f777ab
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 03:02:37 2011 +0100
extensions: remove no longer necessary default: cases
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit fa503ad59f73d20d85f4cdf53324a01d2ad8591e
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 02:47:02 2011 +0100
ip[6]tables: only call target's parse function when option char is in range
Same as previous commit. Doing this actually allows to remove code
that is no longer needed.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit 1e128bd804b676ee91beca48312de9b251845d09
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 02:25:28 2011 +0100
ip[6]tables: only call match's parse function when option char is in range
Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.
Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.
One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.
References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit 1dc27393b7ba401e6228a5ee2472a6eb72836c43
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Jan 8 02:10:52 2011 +0100
xtables: reorder num_old substraction for clarity
When going over this again, I noticed we happen to malloc too much.
That is no problem, but I felt moving the num_old adjustment upwards
makes things more clear, and also addresses the allocation.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit 5b1fecc7d017df093db7c667bcd1718e45b1df67
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Fri Jan 7 12:26:59 2011 +0100
iptables: abort on empty interface specification
Fiedler Roman brings to attention that if, in a faulty script,
"$some_variable" expands to an empty string, iptables should probably
catch this most likely undesired invocation. If no/all interfaces were
really desired, one can either omit -i completely, or use -i +.
References: http://marc.info/?l=netfilter&m=129439862903487&w=2
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit 7ac405297ec38449b30e3b05fd6bf2082fd3d803
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Fri Jan 7 12:34:04 2011 +0100
src: use C99/POSIX types
"u_int" was a non-standardized extension predating C99 on some platforms.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit 4a1d810bb52aa5d5c450f7adcde5145d40261b54
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sun Dec 26 10:31:03 2010 +0100
xt_comment: remove redundant cast
commit d1435e0772e40c310dff35abe7bf1e7de5b18ee4
Author: Jan Engelhardt <jengelh at medozas.de>
Date: Sat Dec 18 01:40:04 2010 +0100
src: const annotations
Also one int -> uint here on the way through.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
commit f6d6449c88812634e663cef4e09db7b691af3eb5
Author: Rob Leslie <rob at mars.org>
Date: Tue Sep 28 00:43:00 2010 -0700
iptables-restore: resolve confusing policy error message
When iptables-restore (and ip6tables-restore) is unable to set a
chain's policy, it responds with a confusing message, e.g.:
iptables-restore v1.4.9: Can't set policy "PREROUTING" on "ACCEPT"
line 16: Bad built-in chain name
This is due to the chain and policy arguments being used in the wrong
order. The attached patch corrects this problem.
Signed-off-by: Jan Engelhardt <jengelh at medozas.de>
-----------------------------------------------------------------------
Summary of changes:
extensions/libip6t_HL.c | 4 --
extensions/libip6t_LOG.c | 5 +--
extensions/libip6t_REJECT.c | 3 --
extensions/libip6t_ah.c | 10 ++----
extensions/libip6t_dst.c | 12 +++----
extensions/libip6t_frag.c | 8 ++---
extensions/libip6t_hbh.c | 12 +++----
extensions/libip6t_hl.c | 4 +--
extensions/libip6t_icmp6.c | 13 +++-----
extensions/libip6t_ipv6header.c | 14 ++++-----
extensions/libip6t_mh.c | 13 +++-----
extensions/libip6t_rt.c | 8 ++---
extensions/libipt_CLUSTERIP.c | 8 ++---
extensions/libipt_DNAT.c | 4 +--
extensions/libipt_ECN.c | 2 -
extensions/libipt_LOG.c | 4 +--
extensions/libipt_MASQUERADE.c | 4 +--
extensions/libipt_NETMAP.c | 14 ++++-----
extensions/libipt_REDIRECT.c | 6 +--
extensions/libipt_REJECT.c | 2 -
extensions/libipt_SAME.c | 3 --
extensions/libipt_SNAT.c | 4 +--
extensions/libipt_TTL.c | 4 --
extensions/libipt_ULOG.c | 2 -
extensions/libipt_addrtype.c | 10 ++----
extensions/libipt_ah.c | 8 ++---
extensions/libipt_ecn.c | 2 -
extensions/libipt_icmp.c | 13 +++-----
extensions/libipt_realm.c | 3 --
extensions/libipt_ttl.c | 3 --
extensions/libxt_CHECKSUM.c | 2 -
extensions/libxt_CLASSIFY.c | 3 --
extensions/libxt_CONNMARK.c | 6 +--
extensions/libxt_CONNSECMARK.c | 3 --
extensions/libxt_CT.c | 2 -
extensions/libxt_DSCP.c | 5 +--
extensions/libxt_IDLETIMER.c | 3 --
extensions/libxt_MARK.c | 11 +-----
extensions/libxt_NFLOG.c | 2 -
extensions/libxt_NFQUEUE.c | 4 --
extensions/libxt_RATEEST.c | 3 --
extensions/libxt_SECMARK.c | 2 -
extensions/libxt_SET.c | 6 ----
extensions/libxt_TCPMSS.c | 3 --
extensions/libxt_TOS.c | 7 +---
extensions/libxt_cluster.c | 2 -
extensions/libxt_comment.c | 5 +--
extensions/libxt_connbytes.c | 2 -
extensions/libxt_connlimit.c | 10 ++----
extensions/libxt_connmark.c | 5 +--
extensions/libxt_conntrack.c | 10 +-----
extensions/libxt_cpu.c | 3 --
extensions/libxt_dccp.c | 18 +++++------
extensions/libxt_dscp.c | 3 --
extensions/libxt_esp.c | 8 ++---
extensions/libxt_hashlimit.c | 12 +++----
extensions/libxt_helper.c | 3 --
extensions/libxt_iprange.c | 7 +---
extensions/libxt_ipvs.c | 7 +----
extensions/libxt_length.c | 5 +--
extensions/libxt_limit.c | 13 +++-----
extensions/libxt_mac.c | 3 --
extensions/libxt_mark.c | 5 +--
extensions/libxt_multiport.c | 34 +++++++++------------
extensions/libxt_osf.c | 2 -
extensions/libxt_owner.c | 10 +++---
extensions/libxt_physdev.c | 3 --
extensions/libxt_pkttype.c | 3 --
extensions/libxt_policy.c | 6 +--
extensions/libxt_quota.c | 5 +--
extensions/libxt_rateest.c | 7 +---
extensions/libxt_recent.c | 3 --
extensions/libxt_sctp.c | 19 +++++-------
extensions/libxt_set.c | 6 ----
extensions/libxt_state.c | 3 --
extensions/libxt_statistic.c | 2 -
extensions/libxt_string.c | 3 --
extensions/libxt_tcp.c | 17 ++++------
extensions/libxt_tcpmss.c | 6 +--
extensions/libxt_tos.c | 4 +-
extensions/libxt_u32.c | 4 +-
extensions/libxt_udp.c | 9 ++----
extensions/tos_values.c | 2 +-
include/linux/netfilter/xt_comment.h | 2 +-
ip6tables-restore.c | 2 +-
ip6tables.c | 54 +++++++++++++++++++++------------
iptables-restore.c | 2 +-
iptables.c | 50 ++++++++++++++++++++-----------
libipq/libipq.c | 4 +-
libiptc/libip4tc.c | 4 +-
xshared.h | 4 ++
xtables.c | 42 +++++++++++++++++++-------
92 files changed, 262 insertions(+), 435 deletions(-)
hooks/post-receive
--
iptables
More information about the netfilter-cvslog
mailing list