Installer, option fixes

Installer, option fixes

[Jan Engelhardt]

Here are a couple of fixes. I have also taken the liberty to move the
main code into a directory of its own to unclutter the toplevel directory.
This does not impact AFAICS.

With this in, it would be prudent to produce a 1.4.12.
===
The following changes since commit a1cd1f2a4a35427c68cd0d1bd2761d5be42b12b1:

  doc: fix trivial typo in libipt_SNAT (2011-06-01 02:35:28 +0200)

are available in the git repository at:
  git://dev.medozas.de/iptables master

Jan Engelhardt (4):
      src: move all libiptc pieces into its directory
      src: move all iptables pieces into a separate directory
      tests: add some sample rulesets to test save-restore cycle
      option: fix ignored negation before implicit extension loading

Maciej Żenczykowski (1):
      xtables-multi: fix absence of xml translator in IPv6-only builds

 .gitignore                                         |   15 --
 Makefile.am                                        |   78 +---------
 configure.ac                                       |    5 +-
 iptables/.gitignore                                |   14 ++
 iptables/Makefile.am                               |   67 ++++++++
 ip6tables-multi.h => iptables/ip6tables-multi.h    |    0
 .../ip6tables-restore.8                            |    0
 .../ip6tables-restore.c                            |    0
 ip6tables-save.8 => iptables/ip6tables-save.8      |    0
 ip6tables-save.c => iptables/ip6tables-save.c      |    0
 .../ip6tables-standalone.c                         |    0
 ip6tables.8.in => iptables/ip6tables.8.in          |    0
 ip6tables.c => iptables/ip6tables.c                |    8 +-
 iptables-apply => iptables/iptables-apply          |    0
 iptables-apply.8 => iptables/iptables-apply.8      |    0
 iptables-multi.h => iptables/iptables-multi.h      |    1 -
 iptables-restore.8 => iptables/iptables-restore.8  |    0
 iptables-restore.c => iptables/iptables-restore.c  |    0
 iptables-save.8 => iptables/iptables-save.8        |    0
 iptables-save.c => iptables/iptables-save.c        |    0
 .../iptables-standalone.c                          |    0
 iptables-xml.1 => iptables/iptables-xml.1          |    0
 iptables-xml.c => iptables/iptables-xml.c          |    4 +-
 iptables.8.in => iptables/iptables.8.in            |    0
 iptables.c => iptables/iptables.c                  |    4 +-
 iptables.xslt => iptables/iptables.xslt            |    0
 xshared.c => iptables/xshared.c                    |   12 +-
 xshared.h => iptables/xshared.h                    |    2 +-
 xtables-multi.c => iptables/xtables-multi.c        |    6 +-
 iptables/xtables-multi.h                           |    6 +
 xtables.c => iptables/xtables.c                    |    0
 xtables.pc.in => iptables/xtables.pc.in            |    0
 xtoptions.c => iptables/xtoptions.c                |    0
 libiptc/.gitignore                                 |    1 +
 libiptc/Makefile.am                                |   12 ++
 libiptc.pc.in => libiptc/libiptc.pc.in             |    0
 tests/options-ipv4.rules                           |   52 ++++++
 tests/options-most.rules                           |  172 ++++++++++++++++++++
 38 files changed, 352 insertions(+), 107 deletions(-)
 create mode 100644 iptables/.gitignore
 create mode 100644 iptables/Makefile.am
 rename ip6tables-multi.h => iptables/ip6tables-multi.h (100%)
 rename ip6tables-restore.8 => iptables/ip6tables-restore.8 (100%)
 rename ip6tables-restore.c => iptables/ip6tables-restore.c (100%)
 rename ip6tables-save.8 => iptables/ip6tables-save.8 (100%)
 rename ip6tables-save.c => iptables/ip6tables-save.c (100%)
 rename ip6tables-standalone.c => iptables/ip6tables-standalone.c (100%)
 rename ip6tables.8.in => iptables/ip6tables.8.in (100%)
 rename ip6tables.c => iptables/ip6tables.c (99%)
 rename iptables-apply => iptables/iptables-apply (100%)
 rename iptables-apply.8 => iptables/iptables-apply.8 (100%)
 rename iptables-multi.h => iptables/iptables-multi.h (83%)
 rename iptables-restore.8 => iptables/iptables-restore.8 (100%)
 rename iptables-restore.c => iptables/iptables-restore.c (100%)
 rename iptables-save.8 => iptables/iptables-save.8 (100%)
 rename iptables-save.c => iptables/iptables-save.c (100%)
 rename iptables-standalone.c => iptables/iptables-standalone.c (100%)
 rename iptables-xml.1 => iptables/iptables-xml.1 (100%)
 rename iptables-xml.c => iptables/iptables-xml.c (99%)
 rename iptables.8.in => iptables/iptables.8.in (100%)
 rename iptables.c => iptables/iptables.c (99%)
 rename iptables.xslt => iptables/iptables.xslt (100%)
 rename xshared.c => iptables/xshared.c (96%)
 rename xshared.h => iptables/xshared.h (97%)
 rename xtables-multi.c => iptables/xtables-multi.c (93%)
 create mode 100644 iptables/xtables-multi.h
 rename xtables.c => iptables/xtables.c (100%)
 rename xtables.pc.in => iptables/xtables.pc.in (100%)
 rename xtoptions.c => iptables/xtoptions.c (100%)
 create mode 100644 libiptc/.gitignore
 create mode 100644 libiptc/Makefile.am
 rename libiptc.pc.in => libiptc/libiptc.pc.in (100%)
 create mode 100644 tests/options-ipv4.rules
 create mode 100644 tests/options-most.rules
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/5] xtables-multi: fix absence of xml translator in IPv6-only builds

[Jan Engelhardt]

From: Maciej Żenczykowski <zenczykowski@gmail.com>

Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code
into the xtables-multi binary.

Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 Makefile.am      |    4 ++--
 iptables-multi.h |    1 -
 iptables-xml.c   |    4 ++--
 xtables-multi.c  |    6 ++++--
 xtables-multi.h  |    6 ++++++
 5 files changed, 14 insertions(+), 7 deletions(-)
 create mode 100644 xtables-multi.h

diff --git a/Makefile.am b/Makefile.am
index 60ea83b..48f01d8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -38,7 +38,7 @@ libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
 libxtables_la_LIBADD  =
 endif
 
-xtables_multi_SOURCES  = xtables-multi.c
+xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
 xtables_multi_CFLAGS   = ${AM_CFLAGS} -DIPTABLES_MULTI
 xtables_multi_LDFLAGS  = -rdynamic
 xtables_multi_LDADD    = extensions/libext.a
@@ -46,7 +46,7 @@ if ENABLE_STATIC
 xtables_multi_CFLAGS  += -DALL_INCLUSIVE
 endif
 if ENABLE_IPV4
-xtables_multi_SOURCES += iptables-save.c iptables-restore.c iptables-xml.c \
+xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
                          iptables-standalone.c iptables.c
 xtables_multi_CFLAGS  += -DENABLE_IPV4
 xtables_multi_LDADD   += libiptc/libip4tc.la extensions/libext4.a
diff --git a/iptables-multi.h b/iptables-multi.h
index a9912b0..a2bb878 100644
--- a/iptables-multi.h
+++ b/iptables-multi.h
@@ -4,6 +4,5 @@
 extern int iptables_main(int, char **);
 extern int iptables_save_main(int, char **);
 extern int iptables_restore_main(int, char **);
-extern int iptables_xml_main(int, char **);
 
 #endif /* _IPTABLES_MULTI_H */
diff --git a/iptables-xml.c b/iptables-xml.c
index aa98f75..5aa638c 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -1,6 +1,6 @@
 /* Code to convert iptables-save format to xml format,
  * (C) 2006 Ufo Mechanic <azez@ufomechanic.net>
- * based on iptables-restor (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
+ * based on iptables-restore (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
  * based on previous code from Rusty Russell <rusty@linuxcare.com.au>
  *
  * This code is distributed under the terms of GNU GPL v2
@@ -14,7 +14,7 @@
 #include <stdarg.h>
 #include "iptables.h"
 #include "libiptc/libiptc.h"
-#include "iptables-multi.h"
+#include "xtables-multi.h"
 #include <xtables.h>
 
 #ifdef DEBUG
diff --git a/xtables-multi.c b/xtables-multi.c
index f8d56ce..8014d5f 100644
--- a/xtables-multi.c
+++ b/xtables-multi.c
@@ -3,6 +3,8 @@
 #include <string.h>
 #include "xshared.h"
 
+#include "xtables-multi.h"
+
 #ifdef ENABLE_IPV4
 #include "iptables-multi.h"
 #endif
@@ -19,9 +21,9 @@ static const struct subcommand multi_subcommands[] = {
 	{"save4",               iptables_save_main},
 	{"iptables-restore",    iptables_restore_main},
 	{"restore4",            iptables_restore_main},
-	{"iptables-xml",        iptables_xml_main},
-	{"xml4",                iptables_xml_main},
 #endif
+	{"iptables-xml",        iptables_xml_main},
+	{"xml",                 iptables_xml_main},
 #ifdef ENABLE_IPV6
 	{"ip6tables",           ip6tables_main},
 	{"main6",               ip6tables_main},
diff --git a/xtables-multi.h b/xtables-multi.h
new file mode 100644
index 0000000..615724b
--- /dev/null
+++ b/xtables-multi.h
@@ -0,0 +1,6 @@
+#ifndef _XTABLES_MULTI_H
+#define _XTABLES_MULTI_H 1
+
+extern int iptables_xml_main(int, char **);
+
+#endif /* _XTABLES_MULTI_H */
-- 
1.7.3.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 2/5] src: move all libiptc pieces into its directory

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 .gitignore            |    1 -
 Makefile.am           |   17 +++--------------
 configure.ac          |    4 ++--
 libiptc.pc.in         |   12 ------------
 libiptc/.gitignore    |    1 +
 libiptc/Makefile.am   |   12 ++++++++++++
 libiptc/libiptc.pc.in |   12 ++++++++++++
 7 files changed, 30 insertions(+), 29 deletions(-)
 delete mode 100644 libiptc.pc.in
 create mode 100644 libiptc/.gitignore
 create mode 100644 libiptc/Makefile.am
 create mode 100644 libiptc/libiptc.pc.in

diff --git a/.gitignore b/.gitignore
index 9d24ce0..fc68536 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,7 +36,6 @@ Makefile.in
 /ltmain.sh
 /missing
 /stamp-h1
-/libiptc.pc
 /xtables.pc
 
 /ip6tables
diff --git a/Makefile.am b/Makefile.am
index 48f01d8..02b5c09 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -5,7 +5,7 @@ AUTOMAKE_OPTIONS = foreign subdir-objects
 
 AM_CFLAGS        = ${regular_CFLAGS}
 AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
-SUBDIRS          = extensions
+SUBDIRS          = extensions libiptc
 if ENABLE_DEVEL
 SUBDIRS         += include
 endif
@@ -15,19 +15,8 @@ endif
 if HAVE_LIBNFNETLINK
 SUBDIRS         += utils
 endif
-lib_LTLIBRARIES =
 
-# libiptc
-lib_LTLIBRARIES            += libiptc/libip4tc.la libiptc/libip6tc.la libiptc/libiptc.la
-libiptc_libiptc_la_SOURCES  =
-libiptc_libiptc_la_LIBADD   = libiptc/libip4tc.la libiptc/libip6tc.la
-libiptc_libiptc_la_LDFLAGS  = -version-info 0:0:0 ${libiptc_LDFLAGS2}
-libiptc_libip4tc_la_SOURCES = libiptc/libip4tc.c
-libiptc_libip4tc_la_LDFLAGS = -version-info 0:0:0
-libiptc_libip6tc_la_SOURCES = libiptc/libip6tc.c
-libiptc_libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
-
-lib_LTLIBRARIES      += libxtables.la
+lib_LTLIBRARIES       = libxtables.la
 libxtables_la_SOURCES = xtables.c xtoptions.c
 libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
 if ENABLE_SHARED
@@ -80,7 +69,7 @@ iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.
 ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets6.man
 	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
 
-pkgconfig_DATA = libiptc.pc xtables.pc
+pkgconfig_DATA = xtables.pc
 
 .PHONY: tarball
 tarball:
diff --git a/configure.ac b/configure.ac
index daed602..f3de3d3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,6 @@ libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage));
 AC_SUBST([libxtables_vmajor])
 
 AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
-	libipq/Makefile utils/Makefile
-	include/xtables.h include/iptables/internal.h libiptc.pc xtables.pc])
+	libipq/Makefile libiptc/Makefile libiptc/libiptc.pc utils/Makefile
+	include/xtables.h include/iptables/internal.h xtables.pc])
 AC_OUTPUT
diff --git a/libiptc.pc.in b/libiptc.pc.in
deleted file mode 100644
index 99a3544..0000000
--- a/libiptc.pc.in
+++ /dev/null
@@ -1,12 +0,0 @@
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name:		libiptc
-Description:	iptables ruleset ADT and kernel interface
-Version:	@PACKAGE_VERSION@
-Libs:		-L${libdir} -liptc
-Libs.private:	-lip4tc -lip6tc
-Cflags:		-I${includedir}
diff --git a/libiptc/.gitignore b/libiptc/.gitignore
new file mode 100644
index 0000000..8767550
--- /dev/null
+++ b/libiptc/.gitignore
@@ -0,0 +1 @@
+/libiptc.pc
diff --git a/libiptc/Makefile.am b/libiptc/Makefile.am
new file mode 100644
index 0000000..a7d0ea2
--- /dev/null
+++ b/libiptc/Makefile.am
@@ -0,0 +1,12 @@
+# -*- Makefile -*-
+
+pkgconfig_DATA      = libiptc.pc
+
+lib_LTLIBRARIES     = libip4tc.la libip6tc.la libiptc.la
+libiptc_la_SOURCES  =
+libiptc_la_LIBADD   = libip4tc.la libip6tc.la
+libiptc_la_LDFLAGS  = -version-info 0:0:0 ${libiptc_LDFLAGS2}
+libip4tc_la_SOURCES = libip4tc.c
+libip4tc_la_LDFLAGS = -version-info 0:0:0
+libip6tc_la_SOURCES = libip6tc.c
+libip6tc_la_LDFLAGS = -version-info 0:0:0 ${libiptc_LDFLAGS2}
diff --git a/libiptc/libiptc.pc.in b/libiptc/libiptc.pc.in
new file mode 100644
index 0000000..99a3544
--- /dev/null
+++ b/libiptc/libiptc.pc.in
@@ -0,0 +1,12 @@
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name:		libiptc
+Description:	iptables ruleset ADT and kernel interface
+Version:	@PACKAGE_VERSION@
+Libs:		-L${libdir} -liptc
+Libs.private:	-lip4tc -lip6tc
+Cflags:		-I${includedir}
-- 
1.7.3.4

[PATCH 4/5] tests: add some sample rulesets to test save-restore cycle

[Jan Engelhardt]

These rulesets use practically all options (I may have missed some)
for verification that the new Guided Option Parser would take the same
input as the old open-coded ones did. They might come in handy at some
point.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 tests/options-ipv4.rules |   52 ++++++++++++++
 tests/options-most.rules |  170 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 222 insertions(+), 0 deletions(-)
 create mode 100644 tests/options-ipv4.rules
 create mode 100644 tests/options-most.rules

diff --git a/tests/options-ipv4.rules b/tests/options-ipv4.rules
new file mode 100644
index 0000000..b4adc92
--- /dev/null
+++ b/tests/options-ipv4.rules
@@ -0,0 +1,52 @@
+# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011
+*mangle
+:PREROUTING ACCEPT [2461:977932]
+:INPUT ACCEPT [2461:977932]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [1740:367048]
+:POSTROUTING ACCEPT [1740:367048]
+
+# libipt_
+-A INPUT -p ah -m ah --ahspi 1
+-A INPUT -p ah -m ah --ahspi :2
+-A INPUT -p ah -m ah --ahspi 0:3
+-A INPUT -p ah -m ah --ahspi 4:
+-A INPUT -p ah -m ah --ahspi 5:4294967295
+
+-A FORWARD -p tcp -j ECN --ecn-tcp-remove
+-A FORWARD -j LOG --log-prefix "hi" --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
+-A FORWARD -j TTL --ttl-inc 1
+-A FORWARD -j TTL --ttl-dec 1
+-A FORWARD -j TTL --ttl-set 1
+-A FORWARD -j ULOG --ulog-prefix "abc" --ulog-cprange 2 --ulog-qthreshold 2
+COMMIT
+# Completed on Mon Jan 31 03:03:38 2011
+# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A PREROUTING -d 1.2.3.4/32 -i lo -j CLUSTERIP --new --hashmode sourceip --clustermac 01:02:03:04:05:06 --total-nodes 9 --local-node 2 --hash-init 123456789
+-A PREROUTING -i dummy0 -j DNAT --to-destination 1.2.3.4 --random --persistent
+-A PREROUTING -i dummy0 -p tcp -j REDIRECT --to-ports 1-2 --random
+-A POSTROUTING -o dummy0 -p tcp -j MASQUERADE --to-ports 1-2 --random
+-A POSTROUTING -o dummy0 -p tcp -j NETMAP --to 1.0.0.0/8
+-A POSTROUTING -o dummy0 -p tcp -j SNAT --to-source 1.2.3.4-1.2.3.5 --random --persistent
+COMMIT
+# Completed on Mon Jan 31 03:03:38 2011
+# Generated by iptables-save v1.4.10 on Mon Jan 31 03:03:38 2011
+*filter
+:INPUT ACCEPT [76:13548]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [59:11240]
+#-A INPUT -m addrtype --src-type UNICAST --dst-type UNICAST --limit-iface-in
+-A INPUT -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 0
+-A INPUT -p tcp -m ecn --ecn-tcp-ece --ecn-tcp-cwr --ecn-ip-ect 1
+-A INPUT -p icmp -m icmp --icmp-type 5/0
+-A INPUT -p icmp -m icmp --icmp-type 5/1
+-A INPUT -p icmp -m icmp --icmp-type 5
+-A INPUT -m realm --realm 0x1 -m ttl --ttl-eq  64 -m ttl --ttl-lt  64 -m ttl --ttl-gt  64
+-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
+COMMIT
+# Completed on Mon Jan 31 03:03:39 2011
diff --git a/tests/options-most.rules b/tests/options-most.rules
new file mode 100644
index 0000000..4cd3a87
--- /dev/null
+++ b/tests/options-most.rules
@@ -0,0 +1,170 @@
+# Generated by ip6tables-save v1.4.10 on Mon Jan 31 02:19:53 2011
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:matches - -
+:ntarg - -
+:zmatches - -
+-A INPUT -j matches
+-A INPUT -m u32 --u32 "0x0=0x0&&0x0=0x1" -j ntarg
+-A INPUT -j zmatches
+-A INPUT -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY 
+-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001 -m comment --comment foo -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr -m connmark --mark 0x99 -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY -m cpu --cpu 2 -m dscp --dscp 0x04 -m dscp --dscp 0x00 -m ha
 shlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --h
 ashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24 -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1 -m helper --helper ftp -m iprange --src-range ::1-::2 --dst-range ::1-::2 -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21 -m length --length 1:2 -m limit --limit 1/sec -m mac --mac-source 01:02:03:04:05:06 -m mark --mark 0x1 -m physdev --physdev-in eth0 -m pkttype --pkt-type unicast -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2 -m quota --quota 0 -m recent --rcheck --name DEFAULT --rsource -m socket --transparent -m string --string "foobar" --algo kmp --from 1 --to 2 --icase -m time --timestart 01:02:03 --times
 top 03:04:05 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --utc -m tos --tos 0xff/0x01 -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0
 =0x0" -m hbh -m hbh -m hl --hl-eq 1
+-A INPUT -m ipv6header --header hop-by-hop --soft
+-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
+-A INPUT -p tcp -m cluster --cluster-local-nodemask 0x00000001 --cluster-total-nodes 2 --cluster-hash-seed 0x00000001
+-A INPUT -p tcp -m comment --comment foo
+-A INPUT -p tcp -m connbytes --connbytes 1:2 --connbytes-mode packets --connbytes-dir both
+-A INPUT -p tcp -m connlimit --connlimit-upto 1 --connlimit-mask 8 --connlimit-saddr
+-A INPUT -p tcp -m connlimit --connlimit-above 1 --connlimit-mask 9 --connlimit-daddr
+-A INPUT -p tcp -m connmark --mark 0x99
+-A INPUT -p tcp -m conntrack --ctstate INVALID --ctproto 6 --ctorigsrc fe80::/64 --ctorigdst fe80::/64 --ctreplsrc fe80::/64 --ctrepldst fe80::/64 --ctorigsrcport 12 --ctorigdstport 13 --ctreplsrcport 14 --ctrepldstport 15 --ctstatus EXPECTED --ctexpire 1:2 --ctdir REPLY
+-A INPUT -p tcp -m cpu --cpu 2
+-A INPUT -p tcp -m dscp --dscp 0x04
+-A INPUT -p tcp -m dscp --dscp 0x00
+-A INPUT -p tcp -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 5 --hashlimit-mode srcip,dstip --hashlimit-name f1 --hashlimit-htable-size 64 --hashlimit-htable-max 128 --hashlimit-htable-gcinterval 60 --hashlimit-htable-expire 120 --hashlimit-srcmask 24 --hashlimit-dstmask 24
+-A INPUT -p tcp -m hashlimit --hashlimit-above 5/sec --hashlimit-burst 5 --hashlimit-name f1
+-A INPUT -p tcp -m helper --helper ftp
+-A INPUT -p tcp -m iprange --src-range ::1-::2 --dst-range ::1-::2
+-A INPUT -p tcp -m length --length 1:2
+-A INPUT -p tcp -m limit --limit 1/sec
+-A INPUT -p tcp -m mac --mac-source 01:02:03:04:05:06
+-A INPUT -p tcp -m mark --mark 0x1
+-A INPUT -p tcp -m physdev --physdev-in eth0
+-A INPUT -p tcp -m pkttype --pkt-type unicast
+-A INPUT -p tcp -m policy --dir in --pol ipsec --strict --reqid 1 --spi 0x1 --proto esp --mode tunnel --tunnel-dst fe80::/64 --tunnel-src fe80::/64 --next --reqid 2
+-A INPUT -p tcp -m quota --quota 0
+-A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
+-A INPUT -p tcp -m socket --transparent
+-A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m tos --tos 0xff/0x01
+-A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
+-A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
+-A INPUT -m ipv6header --header hop-by-hop --soft -m rt --rt-type 2 --rt-segsleft 2 --rt-len 5 -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1 --rt-0-not-strict -m rt --rt-type 0 --rt-segsleft 2 --rt-len 5 --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict
+-A INPUT -p tcp -m cpu --cpu 1 -m tcp --sport 1:2 --dport 1:2 --tcp-option 1 --tcp-flags FIN,SYN,RST,ACK SYN -m cpu --cpu 1
+-A INPUT -p dccp -m cpu --cpu 1 -m dccp --sport 1:2 --dport 3:4 -m cpu --cpu 1
+-A INPUT -p udp -m cpu --cpu 1 -m udp --sport 1:2 --dport 3:4 -m cpu --cpu 1
+-A INPUT -p sctp -m cpu --cpu 1 -m sctp --sport 1:2 --dport 3:4 --chunk-types all INIT,SACK -m cpu --cpu 1
+-A INPUT -p esp -m esp --espspi 1:2
+-A INPUT -p tcp -m multiport --dports 1,2 -m multiport --dports 1,2
+-A INPUT -p tcp -m tcpmss --mss 1:2 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4/0
+-A INPUT
+-A INPUT -p mobility
+-A INPUT -p mobility -m mh --mh-type 3
+-A OUTPUT -m owner --socket-exists --uid-owner 1-2 --gid-owner 2-3
+-A matches -m connbytes --connbytes 1 --connbytes-mode bytes --connbytes-dir both
+-A matches
+-A matches -m connbytes --connbytes :2 --connbytes-mode bytes --connbytes-dir both
+-A matches
+-A matches -m connbytes --connbytes 0:3 --connbytes-mode bytes --connbytes-dir both
+-A matches
+-A matches -m connbytes --connbytes 4: --connbytes-mode bytes --connbytes-dir both
+-A matches
+-A matches -m connbytes --connbytes 5:18446744073709551615 --connbytes-mode bytes --connbytes-dir both
+-A matches
+-A matches -m conntrack --ctexpire 1
+-A matches
+-A matches -m conntrack --ctexpire :2
+-A matches
+-A matches -m conntrack --ctexpire 0:3
+-A matches
+-A matches -m conntrack --ctexpire 4:
+-A matches
+-A matches -m conntrack --ctexpire 5:4294967295
+-A matches
+-A matches -p esp -m esp --espspi 1
+-A matches
+-A matches -p esp -m esp --espspi :2
+-A matches
+-A matches -p esp -m esp --espspi 0:3
+-A matches
+-A matches -p esp -m esp --espspi 4:
+-A matches
+-A matches -p esp -m esp --espspi 5:4294967295
+-A matches
+-A matches -m ipvs --vaddr fe80::/64 --vport 1 --vdir REPLY --vmethod GATE --vportctl 21
+-A matches
+-A matches -m length --length 1
+-A matches
+-A matches -m length --length :2
+-A matches
+-A matches -m length --length 0:3
+-A matches
+-A matches -m length --length 4:
+-A matches
+-A matches -m length --length 5:65535
+-A matches
+-A matches -p tcp -m tcpmss --mss 1
+-A matches
+-A matches -p tcp -m tcpmss --mss :2
+-A matches
+-A matches -p tcp -m tcpmss --mss 0:3
+-A matches
+-A matches -p tcp -m tcpmss --mss 4:
+-A matches
+-A matches -p tcp -m tcpmss --mss 5:65535
+-A matches
+-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --localtz
+-A matches
+-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05 --kerneltz
+-A matches
+-A matches -m time --timestart 01:02:03 --timestop 04:05:06 --monthdays 1,2,3,4,5 --weekdays Mon,Fri,Sun --datestart 2001-02-03T04:05:06 --datestop 2012-09-08T09:06:05
+-A matches
+-A matches -m time --timestart 02:00:00 --timestop 03:00:00 --datestart 1970-01-01T02:00:00 --datestop 1970-01-01T03:00:00
+-A matches
+-A matches -m ah --ahspi 1
+-A matches
+-A matches -m ah --ahspi :2
+-A matches
+-A matches -m ah --ahspi 0:3
+-A matches
+-A matches -m ah --ahspi 4:
+-A matches
+-A matches -m ah --ahspi 5:4294967295
+-A matches
+-A matches -m frag --fragid 1
+-A matches
+-A matches -m frag --fragid :2
+-A matches
+-A matches -m frag --fragid 0:3
+-A matches
+-A matches -m frag --fragid 4:
+-A matches
+-A matches -m frag --fragid 5:4294967295
+-A matches
+-A matches -m rt --rt-segsleft 1
+-A matches
+-A matches -m rt --rt-segsleft :2
+-A matches
+-A matches -m rt --rt-segsleft 0:3
+-A matches
+-A matches -m rt --rt-segsleft 4:
+-A matches
+-A matches -m rt --rt-segsleft 5:4294967295
+-A matches
+-A ntarg -j NFQUEUE --queue-num 1
+-A ntarg
+-A ntarg -j NFQUEUE --queue-balance 8:99
+-A ntarg
+-A ntarg -j RATEEST --rateest-name RE1 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
+-A ntarg
+-A ntarg -j RATEEST --rateest-name RE2 --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
+-A ntarg
+#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-bps 8bit
+#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-bps 8bit
+#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-bps 8bit
+#-A zmatches -m rateest --rateest RE1 --rateest-lt --rateest-pps 5
+#-A zmatches -m rateest --rateest RE1 --rateest-eq --rateest-pps 5
+#-A zmatches -m rateest --rateest RE1 --rateest-gt --rateest-pps 5
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-lt --rateest-bps2 16bit
+#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --bytes
+#-A zmatches -m rateest --rateest1 RE1 --rateest-lt --rateest2 RE2 --packets
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-eq --rateest-bps2 16bit
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-bps1 8bit --rateest-gt --rateest-bps2 16bit
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-lt --rateest-pps2 9
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-eq --rateest-pps2 9
+#-A zmatches -m rateest --rateest-delta --rateest RE1 --rateest-pps1 8 --rateest-gt --rateest-pps2 9
+COMMIT
+# Completed on Mon Jan 31 02:19:54 2011
-- 
1.7.3.4

[PATCH 5/5] option: fix ignored negation before implicit extension loading

[Jan Engelhardt]

`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.

Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/ip6tables.c     |    8 +++++++-
 iptables/iptables.c      |    4 +++-
 iptables/xshared.c       |   12 +++++++-----
 iptables/xshared.h       |    2 +-
 tests/options-most.rules |    2 ++
 5 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 4df73b8..4037acf 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -1716,7 +1716,13 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 			exit_tryhelp(2);
 
 		default:
-			command_default(&cs, &ip6tables_globals);
+			if (command_default(&cs, &ip6tables_globals) == 1)
+				/*
+				 * If new options were loaded, we must retry
+				 * getopt immediately and not allow
+				 * cs.invert=FALSE to be executed.
+				 */
+				continue;
 			break;
 		}
 		cs.invert = FALSE;
diff --git a/iptables/iptables.c b/iptables/iptables.c
index d9c6436..4ae7541 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -1743,7 +1743,9 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
 			exit_tryhelp(2);
 
 		default:
-			command_default(&cs, &iptables_globals);
+			if (command_default(&cs, &iptables_globals) == 1)
+				/* cf. ip6tables.c */
+				continue;
 			break;
 		}
 		cs.invert = FALSE;
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 4651888..0e3857b 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -104,8 +104,8 @@ struct xtables_match *load_proto(struct iptables_command_state *cs)
 			  cs->options & OPT_NUMERIC, &cs->matches);
 }
 
-void command_default(struct iptables_command_state *cs,
-		     struct xtables_globals *gl)
+int command_default(struct iptables_command_state *cs,
+		    struct xtables_globals *gl)
 {
 	struct xtables_rule_match *matchp;
 	struct xtables_match *m;
@@ -116,7 +116,7 @@ void command_default(struct iptables_command_state *cs,
 	    cs->c < cs->target->option_offset + XT_OPTION_OFFSET_SCALE) {
 		xtables_option_tpcall(cs->c, cs->argv, cs->invert,
 				      cs->target, &cs->fw);
-		return;
+		return 0;
 	}
 
 	for (matchp = cs->matches; matchp; matchp = matchp->next) {
@@ -129,7 +129,7 @@ void command_default(struct iptables_command_state *cs,
 		    cs->c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
 			continue;
 		xtables_option_mpcall(cs->c, cs->argv, cs->invert, m, &cs->fw);
-		return;
+		return 0;
 	}
 
 	/* Try loading protocol */
@@ -161,7 +161,8 @@ void command_default(struct iptables_command_state *cs,
 		if (gl->opts == NULL)
 			xtables_error(OTHER_PROBLEM, "can't alloc memory!");
 		optind--;
-		return;
+		/* Indicate to rerun getopt *immediately* */
+ 		return 1;
 	}
 
 	if (cs->c == ':')
@@ -171,6 +172,7 @@ void command_default(struct iptables_command_state *cs,
 		xtables_error(PARAMETER_PROBLEM, "unknown option "
 			      "\"%s\"", cs->argv[optind-1]);
 	xtables_error(PARAMETER_PROBLEM, "Unknown arg \"%s\"", optarg);
+	return 0;
 }
 
 static mainfunc_t subcmd_get(const char *cmd, const struct subcommand *cb)
diff --git a/iptables/xshared.h b/iptables/xshared.h
index d868c06..b44a3a3 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -77,7 +77,7 @@ enum {
 extern void print_extension_helps(const struct xtables_target *,
 	const struct xtables_rule_match *);
 extern const char *proto_to_name(uint8_t, int);
-extern void command_default(struct iptables_command_state *,
+extern int command_default(struct iptables_command_state *,
 	struct xtables_globals *);
 extern struct xtables_match *load_proto(struct iptables_command_state *);
 extern int subcmd_main(int, char **, const struct subcommand *);
diff --git a/tests/options-most.rules b/tests/options-most.rules
index 4cd3a87..6c4a831 100644
--- a/tests/options-most.rules
+++ b/tests/options-most.rules
@@ -38,6 +38,8 @@
 -A INPUT -p tcp -m recent --rcheck --name DEFAULT --rsource
 -A INPUT -p tcp -m socket --transparent
 -A INPUT -p tcp -m string --string "foobar" --algo kmp --from 1 --to 2 --icase
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN
 -A INPUT -p tcp -m tos --tos 0xff/0x01
 -A INPUT -p tcp -m u32 --u32 "0x0=0x0" -m u32 --u32 "0x0=0x0"
 -A INPUT -p tcp -m hbh -m hbh -m hl --hl-eq 1 -m ipv6header --header hop-by-hop --soft
-- 
1.7.3.4

[PATCH 3/5] Looks like the MTA ate this

[Jan Engelhardt]

manual paste thus:

parent 5c8f5b60aa8e24da0bd25824f0f85bf7a4a39ea7 (v1.4.11-12-g5c8f5b6)
commit 033e25a3ad215ee3f5a07f0a3315f74c4abfaced
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Tue Jun 7 14:02:37 2011 +0200

src: move all iptables pieces into a separate directory

(Unclutter top-level dir)

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 .gitignore                                         |   14 ---
 Makefile.am                                        |   67 +-----------
 configure.ac                                       |    3 +-
 iptables/.gitignore                                |   14 +++
 iptables/Makefile.am                               |   67 ++++++++++++
 ip6tables-multi.h => iptables/ip6tables-multi.h    |    0
 .../ip6tables-restore.8                            |    0
 .../ip6tables-restore.c                            |    0
 ip6tables-save.8 => iptables/ip6tables-save.8      |    0
 ip6tables-save.c => iptables/ip6tables-save.c      |    0
 .../ip6tables-standalone.c                         |    0
 ip6tables.8.in => iptables/ip6tables.8.in          |    0
 ip6tables.c => iptables/ip6tables.c                |    0
 iptables-apply => iptables/iptables-apply          |    0
 iptables-apply.8 => iptables/iptables-apply.8      |    0
 iptables-multi.h => iptables/iptables-multi.h      |    0
 iptables-restore.8 => iptables/iptables-restore.8  |    0
 iptables-restore.c => iptables/iptables-restore.c  |    0
 iptables-save.8 => iptables/iptables-save.8        |    0
 iptables-save.c => iptables/iptables-save.c        |    0
 .../iptables-standalone.c                          |    0
 iptables-xml.1 => iptables/iptables-xml.1          |    0
 iptables-xml.c => iptables/iptables-xml.c          |    0
 iptables.8.in => iptables/iptables.8.in            |    0
 iptables.c => iptables/iptables.c                  |    0
 iptables.xslt => iptables/iptables.xslt            |    0
 xshared.c => iptables/xshared.c                    |    0
 xshared.h => iptables/xshared.h                    |    0
 xtables-multi.c => iptables/xtables-multi.c        |    0
 xtables-multi.h => iptables/xtables-multi.h        |    0
 xtables.c => iptables/xtables.c                    |    0
 xtables.pc.in => iptables/xtables.pc.in            |    0
 xtoptions.c => iptables/xtoptions.c                |    0
 33 files changed, 84 insertions(+), 81 deletions(-)
 create mode 100644 iptables/.gitignore
 create mode 100644 iptables/Makefile.am
 rename ip6tables-multi.h => iptables/ip6tables-multi.h (100%)
 rename ip6tables-restore.8 => iptables/ip6tables-restore.8 (100%)
 rename ip6tables-restore.c => iptables/ip6tables-restore.c (100%)
 rename ip6tables-save.8 => iptables/ip6tables-save.8 (100%)
 rename ip6tables-save.c => iptables/ip6tables-save.c (100%)
 rename ip6tables-standalone.c => iptables/ip6tables-standalone.c (100%)
 rename ip6tables.8.in => iptables/ip6tables.8.in (100%)
 rename ip6tables.c => iptables/ip6tables.c (100%)
 rename iptables-apply => iptables/iptables-apply (100%)
 rename iptables-apply.8 => iptables/iptables-apply.8 (100%)
 rename iptables-multi.h => iptables/iptables-multi.h (100%)
 rename iptables-restore.8 => iptables/iptables-restore.8 (100%)
 rename iptables-restore.c => iptables/iptables-restore.c (100%)
 rename iptables-save.8 => iptables/iptables-save.8 (100%)
 rename iptables-save.c => iptables/iptables-save.c (100%)
 rename iptables-standalone.c => iptables/iptables-standalone.c (100%)
 rename iptables-xml.1 => iptables/iptables-xml.1 (100%)
 rename iptables-xml.c => iptables/iptables-xml.c (100%)
 rename iptables.8.in => iptables/iptables.8.in (100%)
 rename iptables.c => iptables/iptables.c (100%)
 rename iptables.xslt => iptables/iptables.xslt (100%)
 rename xshared.c => iptables/xshared.c (100%)
 rename xshared.h => iptables/xshared.h (100%)
 rename xtables-multi.c => iptables/xtables-multi.c (100%)
 rename xtables-multi.h => iptables/xtables-multi.h (100%)
 rename xtables.c => iptables/xtables.c (100%)
 rename xtables.pc.in => iptables/xtables.pc.in (100%)
 rename xtoptions.c => iptables/xtoptions.c (100%)

diff --git a/.gitignore b/.gitignore
index fc68536..3e7def5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,17 +36,3 @@ Makefile.in
 /ltmain.sh
 /missing
 /stamp-h1
-/xtables.pc
-
-/ip6tables
-/ip6tables.8
-/ip6tables-save
-/ip6tables-restore
-/ip6tables-static
-/iptables
-/iptables.8
-/iptables-save
-/iptables-restore
-/iptables-static
-/iptables-xml
-/xtables-multi
diff --git a/Makefile.am b/Makefile.am
index 02b5c09..34b3501 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3,9 +3,7 @@
 ACLOCAL_AMFLAGS  = -I m4
 AUTOMAKE_OPTIONS = foreign subdir-objects
 
-AM_CFLAGS        = ${regular_CFLAGS}
-AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
-SUBDIRS          = extensions libiptc
+SUBDIRS          = extensions libiptc iptables
 if ENABLE_DEVEL
 SUBDIRS         += include
 endif
@@ -16,61 +14,6 @@ if HAVE_LIBNFNETLINK
 SUBDIRS         += utils
 endif
 
-lib_LTLIBRARIES       = libxtables.la
-libxtables_la_SOURCES = xtables.c xtoptions.c
-libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
-if ENABLE_SHARED
-libxtables_la_CFLAGS  = ${AM_CFLAGS}
-libxtables_la_LIBADD  = -ldl
-else
-libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
-libxtables_la_LIBADD  =
-endif
-
-xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
-xtables_multi_CFLAGS   = ${AM_CFLAGS} -DIPTABLES_MULTI
-xtables_multi_LDFLAGS  = -rdynamic
-xtables_multi_LDADD    = extensions/libext.a
-if ENABLE_STATIC
-xtables_multi_CFLAGS  += -DALL_INCLUSIVE
-endif
-if ENABLE_IPV4
-xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
-                         iptables-standalone.c iptables.c
-xtables_multi_CFLAGS  += -DENABLE_IPV4
-xtables_multi_LDADD   += libiptc/libip4tc.la extensions/libext4.a
-endif
-if ENABLE_IPV6
-xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
-                          ip6tables-standalone.c ip6tables.c
-xtables_multi_CFLAGS  += -DENABLE_IPV6
-xtables_multi_LDADD   += libiptc/libip6tc.la extensions/libext6.a
-endif
-xtables_multi_SOURCES += xshared.c
-xtables_multi_LDADD   += libxtables.la -lm
-
-sbin_PROGRAMS    = xtables-multi
-man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
-                   iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
-                   ip6tables-save.8
-CLEANFILES       = iptables.8 ip6tables.8
-
-vx_bin_links   = iptables-xml
-if ENABLE_IPV4
-v4_sbin_links  = iptables iptables-restore iptables-save
-endif
-if ENABLE_IPV6
-v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
-endif
-
-iptables.8: ${srcdir}/iptables.8.in extensions/matches4.man extensions/targets4.man
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
-
-ip6tables.8: ${srcdir}/ip6tables.8.in extensions/matches6.man extensions/targets6.man
-	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
-
-pkgconfig_DATA = xtables.pc
-
 .PHONY: tarball
 tarball:
 	rm -Rf /tmp/${PACKAGE_TARNAME}-${PACKAGE_VERSION};
@@ -81,11 +24,3 @@ tarball:
 
 config.status: extensions/GNUmakefile.in \
 	include/xtables.h.in include/iptables/internal.h.in
-
-# Using if..fi avoids an ugly "error (ignored)" message :)
-install-exec-hook:
-	-if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
-	${INSTALL} -dm0755 "${DESTDIR}${bindir}";
-	for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done;
-	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
-	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
diff --git a/configure.ac b/configure.ac
index f3de3d3..4fba167 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,7 @@ libxtables_vmajor=$(($libxtables_vcurrent - $libxtables_vage));
 AC_SUBST([libxtables_vmajor])
 
 AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
+	iptables/Makefile iptables/xtables.pc
 	libipq/Makefile libiptc/Makefile libiptc/libiptc.pc utils/Makefile
-	include/xtables.h include/iptables/internal.h xtables.pc])
+	include/xtables.h include/iptables/internal.h])
 AC_OUTPUT
diff --git a/iptables/.gitignore b/iptables/.gitignore
new file mode 100644
index 0000000..5a08937
--- /dev/null
+++ b/iptables/.gitignore
@@ -0,0 +1,14 @@
+/ip6tables
+/ip6tables.8
+/ip6tables-save
+/ip6tables-restore
+/ip6tables-static
+/iptables
+/iptables.8
+/iptables-save
+/iptables-restore
+/iptables-static
+/iptables-xml
+/xtables-multi
+
+/xtables.pc
diff --git a/iptables/Makefile.am b/iptables/Makefile.am
new file mode 100644
index 0000000..13cca9c
--- /dev/null
+++ b/iptables/Makefile.am
@@ -0,0 +1,67 @@
+# -*- Makefile -*-
+
+AM_CFLAGS        = ${regular_CFLAGS}
+AM_CPPFLAGS      = ${regular_CPPFLAGS} -I${top_builddir}/include -I${top_srcdir}/include ${kinclude_CPPFLAGS}
+
+lib_LTLIBRARIES       = libxtables.la
+libxtables_la_SOURCES = xtables.c xtoptions.c
+libxtables_la_LDFLAGS = -version-info ${libxtables_vcurrent}:0:${libxtables_vage}
+if ENABLE_SHARED
+libxtables_la_CFLAGS  = ${AM_CFLAGS}
+libxtables_la_LIBADD  = -ldl
+else
+libxtables_la_CFLAGS  = ${AM_CFLAGS} -DNO_SHARED_LIBS=1
+libxtables_la_LIBADD  =
+endif
+
+xtables_multi_SOURCES  = xtables-multi.c iptables-xml.c
+xtables_multi_CFLAGS   = ${AM_CFLAGS} -DIPTABLES_MULTI
+xtables_multi_LDFLAGS  = -rdynamic
+xtables_multi_LDADD    = ../extensions/libext.a
+if ENABLE_STATIC
+xtables_multi_CFLAGS  += -DALL_INCLUSIVE
+endif
+if ENABLE_IPV4
+xtables_multi_SOURCES += iptables-save.c iptables-restore.c \
+                         iptables-standalone.c iptables.c
+xtables_multi_CFLAGS  += -DENABLE_IPV4
+xtables_multi_LDADD   += ../libiptc/libip4tc.la ../extensions/libext4.a
+endif
+if ENABLE_IPV6
+xtables_multi_SOURCES += ip6tables-save.c ip6tables-restore.c \
+                          ip6tables-standalone.c ip6tables.c
+xtables_multi_CFLAGS  += -DENABLE_IPV6
+xtables_multi_LDADD   += ../libiptc/libip6tc.la ../extensions/libext6.a
+endif
+xtables_multi_SOURCES += xshared.c
+xtables_multi_LDADD   += libxtables.la -lm
+
+sbin_PROGRAMS    = xtables-multi
+man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
+                   iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
+                   ip6tables-save.8
+CLEANFILES       = iptables.8 ip6tables.8
+
+vx_bin_links   = iptables-xml
+if ENABLE_IPV4
+v4_sbin_links  = iptables iptables-restore iptables-save
+endif
+if ENABLE_IPV6
+v6_sbin_links  = ip6tables ip6tables-restore ip6tables-save
+endif
+
+iptables.8: ${srcdir}/iptables.8.in ../extensions/matches4.man ../extensions/targets4.man
+	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches4.man' -e '/@TARGET@/ r extensions/targets4.man' $< >$@;
+
+ip6tables.8: ${srcdir}/ip6tables.8.in ../extensions/matches6.man ../extensions/targets6.man
+	${AM_VERBOSE_GEN} sed -e 's/@PACKAGE_AND_VERSION@/${PACKAGE} ${PACKAGE_VERSION}/g' -e '/@MATCH@/ r extensions/matches6.man' -e '/@TARGET@/ r extensions/targets6.man' $< >$@;
+
+pkgconfig_DATA = xtables.pc
+
+# Using if..fi avoids an ugly "error (ignored)" message :)
+install-exec-hook:
+	-if test -z "${DESTDIR}"; then /sbin/ldconfig; fi;
+	${INSTALL} -dm0755 "${DESTDIR}${bindir}";
+	for i in ${vx_bin_links}; do ${LN_S} -f "${sbindir}/xtables-multi" "${DESTDIR}${bindir}/$$i"; done;
+	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
+	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-multi "${DESTDIR}${sbindir}/$$i"; done;
diff --git a/ip6tables-multi.h b/iptables/ip6tables-multi.h
similarity index 100%
rename from ip6tables-multi.h
rename to iptables/ip6tables-multi.h
diff --git a/ip6tables-restore.8 b/iptables/ip6tables-restore.8
similarity index 100%
rename from ip6tables-restore.8
rename to iptables/ip6tables-restore.8
diff --git a/ip6tables-restore.c b/iptables/ip6tables-restore.c
similarity index 100%
rename from ip6tables-restore.c
rename to iptables/ip6tables-restore.c
diff --git a/ip6tables-save.8 b/iptables/ip6tables-save.8
similarity index 100%
rename from ip6tables-save.8
rename to iptables/ip6tables-save.8
diff --git a/ip6tables-save.c b/iptables/ip6tables-save.c
similarity index 100%
rename from ip6tables-save.c
rename to iptables/ip6tables-save.c
diff --git a/ip6tables-standalone.c b/iptables/ip6tables-standalone.c
similarity index 100%
rename from ip6tables-standalone.c
rename to iptables/ip6tables-standalone.c
diff --git a/ip6tables.8.in b/iptables/ip6tables.8.in
similarity index 100%
rename from ip6tables.8.in
rename to iptables/ip6tables.8.in
diff --git a/ip6tables.c b/iptables/ip6tables.c
similarity index 100%
rename from ip6tables.c
rename to iptables/ip6tables.c
diff --git a/iptables-apply b/iptables/iptables-apply
similarity index 100%
rename from iptables-apply
rename to iptables/iptables-apply
diff --git a/iptables-apply.8 b/iptables/iptables-apply.8
similarity index 100%
rename from iptables-apply.8
rename to iptables/iptables-apply.8
diff --git a/iptables-multi.h b/iptables/iptables-multi.h
similarity index 100%
rename from iptables-multi.h
rename to iptables/iptables-multi.h
diff --git a/iptables-restore.8 b/iptables/iptables-restore.8
similarity index 100%
rename from iptables-restore.8
rename to iptables/iptables-restore.8
diff --git a/iptables-restore.c b/iptables/iptables-restore.c
similarity index 100%
rename from iptables-restore.c
rename to iptables/iptables-restore.c
diff --git a/iptables-save.8 b/iptables/iptables-save.8
similarity index 100%
rename from iptables-save.8
rename to iptables/iptables-save.8
diff --git a/iptables-save.c b/iptables/iptables-save.c
similarity index 100%
rename from iptables-save.c
rename to iptables/iptables-save.c
diff --git a/iptables-standalone.c b/iptables/iptables-standalone.c
similarity index 100%
rename from iptables-standalone.c
rename to iptables/iptables-standalone.c
diff --git a/iptables-xml.1 b/iptables/iptables-xml.1
similarity index 100%
rename from iptables-xml.1
rename to iptables/iptables-xml.1
diff --git a/iptables-xml.c b/iptables/iptables-xml.c
similarity index 100%
rename from iptables-xml.c
rename to iptables/iptables-xml.c
diff --git a/iptables.8.in b/iptables/iptables.8.in
similarity index 100%
rename from iptables.8.in
rename to iptables/iptables.8.in
diff --git a/iptables.c b/iptables/iptables.c
similarity index 100%
rename from iptables.c
rename to iptables/iptables.c
diff --git a/iptables.xslt b/iptables/iptables.xslt
similarity index 100%
rename from iptables.xslt
rename to iptables/iptables.xslt
diff --git a/xshared.c b/iptables/xshared.c
similarity index 100%
rename from xshared.c
rename to iptables/xshared.c
diff --git a/xshared.h b/iptables/xshared.h
similarity index 100%
rename from xshared.h
rename to iptables/xshared.h
diff --git a/xtables-multi.c b/iptables/xtables-multi.c
similarity index 100%
rename from xtables-multi.c
rename to iptables/xtables-multi.c
diff --git a/xtables-multi.h b/iptables/xtables-multi.h
similarity index 100%
rename from xtables-multi.h
rename to iptables/xtables-multi.h
diff --git a/xtables.c b/iptables/xtables.c
similarity index 100%
rename from xtables.c
rename to iptables/xtables.c
diff --git a/xtables.pc.in b/iptables/xtables.pc.in
similarity index 100%
rename from xtables.pc.in
rename to iptables/xtables.pc.in
diff --git a/xtoptions.c b/iptables/xtoptions.c
similarity index 100%
rename from xtoptions.c
rename to iptables/xtoptions.c
-- 
# Created with git-export-patch

Re: [PATCH 4/5] tests: add some sample rulesets to test save-restore cycle

[Konstantin Khorenko]

On 06/08/2011 12:36 AM, Jan Engelhardt wrote:
> These rulesets use practically all options (I may have missed some)
> for verification that the new Guided Option Parser would take the same
> input as the old open-coded ones did. They might come in handy at some
> point.
>
> Signed-off-by: Jan Engelhardt<jengelh@medozas.de>

Hi Jan,

thank you very much for the ruleset, it helps a lot!

--
Konstantin Khorenko,

Re: Installer, option fixes

[Patrick McHardy]

On 07.06.2011 22:35, Jan Engelhardt wrote:
> Here are a couple of fixes. I have also taken the liberty to move the
> main code into a directory of its own to unclutter the toplevel directory.
> This does not impact AFAICS.
> 
> With this in, it would be prudent to produce a 1.4.12.
> ===
> The following changes since commit a1cd1f2a4a35427c68cd0d1bd2761d5be42b12b1:
> 
>   doc: fix trivial typo in libipt_SNAT (2011-06-01 02:35:28 +0200)
> 
> are available in the git repository at:
>   git://dev.medozas.de/iptables master
> 
> Jan Engelhardt (4):
>       src: move all libiptc pieces into its directory
>       src: move all iptables pieces into a separate directory
>       tests: add some sample rulesets to test save-restore cycle
>       option: fix ignored negation before implicit extension loading
> 
> Maciej Żenczykowski (1):
>       xtables-multi: fix absence of xml translator in IPv6-only builds
> 

Pulled, thanks Jan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Installer, option fixes

[Patrick McHardy]

On 08.06.2011 09:35, Patrick McHardy wrote:
> On 07.06.2011 22:35, Jan Engelhardt wrote:
>> Here are a couple of fixes. I have also taken the liberty to move the
>> main code into a directory of its own to unclutter the toplevel directory.
>> This does not impact AFAICS.
>>
>> With this in, it would be prudent to produce a 1.4.12.

Just FYI, I'm doing some testing myself and will wait until tommorrow,
then make a new release.