Re: next iptables release

Re: next iptables release

[Jan Engelhardt]

The following changes since commit 596c69007acb569843391e4c98dc21d6f2336e7b:
  Patrick McHardy (1):
        DNAT: fix incorrect check during parsing

are available in the git repository at:

  git://dev.medozas.de/iptables master

Jan Engelhardt (3):
      iptables: take masks into consideration for replace command
      doc: explain experienced --hitcount limit
      doc: name resolution clarification

 extensions/libxt_recent.man |    4 +++-
 ip6tables.8.in              |   10 ++++++----
 ip6tables.c                 |   10 ++++++----
 iptables.8.in               |    8 +++++---
 iptables.c                  |   10 ++++++----
 5 files changed, 26 insertions(+), 16 deletions(-)

[PATCH 1/3] iptables: take masks into consideration for replace command

[Jan Engelhardt]

The two commands:

-A OUPUT -d 10.11.12.13/32 -j LOG
-R OUTPUT 1 -j LOG -d 10.11.12.13

will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right.
(No regression, this problem was there forever.)

Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.c |   10 ++++++----
 iptables.c  |   10 ++++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index f6daa51..e2359df 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -758,13 +758,15 @@ static int
 replace_entry(const ip6t_chainlabel chain,
 	      struct ip6t_entry *fw,
 	      unsigned int rulenum,
-	      const struct in6_addr *saddr,
-	      const struct in6_addr *daddr,
+	      const struct in6_addr *saddr, const struct in6_addr *smask,
+	      const struct in6_addr *daddr, const struct in6_addr *dmask,
 	      int verbose,
 	      struct ip6tc_handle *handle)
 {
 	fw->ipv6.src = *saddr;
 	fw->ipv6.dst = *daddr;
+	fw->ipv6.smsk = *smask;
+	fw->ipv6.dmsk = *dmask;
 
 	if (verbose)
 		print_firewall_line(fw, handle);
@@ -1947,8 +1949,8 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 		break;
 	case CMD_REPLACE:
 		ret = replace_entry(chain, e, rulenum - 1,
-				    saddrs, daddrs, options&OPT_VERBOSE,
-				    *handle);
+				    saddrs, smasks, daddrs, dmasks,
+				    options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_INSERT:
 		ret = insert_entry(chain, e, rulenum - 1,
diff --git a/iptables.c b/iptables.c
index a69aab3..08eb134 100644
--- a/iptables.c
+++ b/iptables.c
@@ -760,13 +760,15 @@ static int
 replace_entry(const ipt_chainlabel chain,
 	      struct ipt_entry *fw,
 	      unsigned int rulenum,
-	      const struct in_addr *saddr,
-	      const struct in_addr *daddr,
+	      const struct in_addr *saddr, const struct in_addr *smask,
+	      const struct in_addr *daddr, const struct in_addr *dmask,
 	      int verbose,
 	      struct iptc_handle *handle)
 {
 	fw->ip.src.s_addr = saddr->s_addr;
 	fw->ip.dst.s_addr = daddr->s_addr;
+	fw->ip.smsk.s_addr = smask->s_addr;
+	fw->ip.dmsk.s_addr = dmask->s_addr;
 
 	if (verbose)
 		print_firewall_line(fw, handle);
@@ -1988,8 +1990,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 		break;
 	case CMD_REPLACE:
 		ret = replace_entry(chain, e, rulenum - 1,
-				    saddrs, daddrs, options&OPT_VERBOSE,
-				    *handle);
+				    saddrs, smasks, daddrs, dmasks,
+				    options&OPT_VERBOSE, *handle);
 		break;
 	case CMD_INSERT:
 		ret = insert_entry(chain, e, rulenum - 1,
-- 
1.6.5.2

[PATCH 2/3] doc: explain experienced --hitcount limit

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 extensions/libxt_recent.man |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index 9d5a64e..aa138df 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -44,7 +44,9 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or
 address is in the list and packets had been received greater than or equal to
 the given value. This option may be used along with \fB\-\-seconds\fP to create
 an even narrower match requiring a certain number of hits within a specific
-time frame.
+time frame. The maximum value for the hitcount parameter is given by the
+"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this
+value on the command line will cause the rule to be rejected.
 .TP
 \fB\-\-rttl\fP
 This option may only be used in conjunction with one of \fB\-\-rcheck\fP or
-- 
1.6.5.2

[PATCH 3/3] doc: name resolution clarification

[Jan Engelhardt]

Sometimes there are users who wonder about when name resolutions/DNS
queries are done, so let's add that for completeness.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables.8.in |   10 ++++++----
 iptables.8.in  |    8 +++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/ip6tables.8.in b/ip6tables.8.in
index 66d8543..5688133 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -240,10 +240,12 @@ option is omitted.
 .TP
 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
 Source specification.
-\fIAddress\fP can be either a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IPv6 address (with \fB/\fP\fImask\fP), or a plain IPv6 address.
-(the network name isn't supported now).
+\fIAddress\fP can be either be a hostname,
+a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
+Names will be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
+(Resolving network names is not supported at this time.)
 The \fImask\fP is a plain number,
 specifying the number of 1's at the left side of the network mask.
 A "!" argument before the address specification inverts the sense of
diff --git a/iptables.8.in b/iptables.8.in
index 928f46a..d29deb2 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -239,9 +239,11 @@ option is omitted.
 .TP
 [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
 Source specification. \fIAddress\fP
-can be either a network name, a hostname (please note that specifying
-any name to be resolved with a remote query such as DNS is a really bad idea),
-a network IP address (with \fB/\fP\fImask\fP), or a plain IP address.
+can be either a network name, a hostname, a network IP address (with
+\fB/\fP\fImask\fP), or a plain IP address. Hostnames will
+be resolved once only, before the rule is submitted to the kernel.
+Please note that specifying any name to be resolved with a remote query such as
+DNS is a really bad idea.
 The \fImask\fP
 can be either a network mask or a plain number,
 specifying the number of 1's at the left side of the network mask.
-- 
1.6.5.2

Re: next iptables release

[Patrick McHardy]

Jan Engelhardt wrote:
> The following changes since commit 596c69007acb569843391e4c98dc21d6f2336e7b:
>   Patrick McHardy (1):
>         DNAT: fix incorrect check during parsing
> 
> are available in the git repository at:
> 
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (3):
>       iptables: take masks into consideration for replace command
>       doc: explain experienced --hitcount limit
>       doc: name resolution clarification

Looks good, pulled and pushed out again. Thanks Jan.