* iptables: pull request June-05
@ 2009-06-05 19:25 Jan Engelhardt
2009-06-05 19:25 ` [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d Jan Engelhardt
` (3 more replies)
0 siblings, 4 replies; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-05 19:25 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Hi,
in another working copy I found these accumulated pieces:
Jan Engelhardt (2):
DNAT/SNAT: add manpage documentation for --persistent flag
extensions: remove redundant casts
Michael Granzow (1):
iptables: accept multiple IP address specifications for -s, -d
They have now been uploaded, so please pull once again from
git://dev.medozas.de/iptables master
configure.ac | 4 +-
extensions/libipt_DNAT.man | 7 +-
extensions/libipt_SAME.man | 2 +
extensions/libipt_SNAT.man | 7 +-
extensions/libipt_realm.c | 4 +-
extensions/libxt_multiport.c | 12 ++--
include/xtables.h.in | 5 +
ip6tables.c | 49 ++++++++-----
iptables.8.in | 7 +-
iptables.c | 42 +++++++---
xtables.c | 175 ++++++++++++++++++++++++++++++++++++++++++
11 files changed, 268 insertions(+), 46 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-05 19:25 iptables: pull request June-05 Jan Engelhardt
@ 2009-06-05 19:25 ` Jan Engelhardt
2009-06-06 6:53 ` Pablo Neira Ayuso
2009-06-05 19:25 ` [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag Jan Engelhardt
` (2 subsequent siblings)
3 siblings, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-05 19:25 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
From: Michael Granzow <mgranzow@zeus.com>
libiptc already supports adding and deleting multiple rules with
different addresses, so it only needs to be wired up to the options.
# ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
Adjustments made: syntax, removal of unneeded variables, manpage
adjustment, soversion bump.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
configure.ac | 4 +-
include/xtables.h.in | 5 ++
ip6tables.c | 49 +++++++++-----
iptables.8.in | 7 ++-
iptables.c | 42 +++++++++----
xtables.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 248 insertions(+), 34 deletions(-)
diff --git a/configure.ac b/configure.ac
index f5b5571..c3a8c6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,8 +2,8 @@
AC_INIT([iptables], [1.4.3.2])
# See libtool.info "Libtool's versioning system"
-libxtables_vcurrent=2
-libxtables_vage=0
+libxtables_vcurrent=3
+libxtables_vage=1
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])
diff --git a/include/xtables.h.in b/include/xtables.h.in
index 4d4ca0a..037fae1 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -215,6 +215,7 @@ extern void xtables_init(void);
extern void xtables_set_nfproto(uint8_t);
extern void *xtables_calloc(size_t, size_t);
extern void *xtables_malloc(size_t);
+extern void *xtables_realloc(void *, size_t);
extern int xtables_insmod(const char *, const char *, bool);
extern int xtables_load_ko(const char *, bool);
@@ -260,6 +261,8 @@ extern struct in_addr *xtables_numeric_to_ipaddr(const char *);
extern struct in_addr *xtables_numeric_to_ipmask(const char *);
extern void xtables_ipparse_any(const char *, struct in_addr **,
struct in_addr *, unsigned int *);
+extern void xtables_ipparse_multiple(const char *, struct in_addr **,
+ struct in_addr **, unsigned int *);
extern struct in6_addr *xtables_numeric_to_ip6addr(const char *);
extern const char *xtables_ip6addr_to_numeric(const struct in6_addr *);
@@ -267,6 +270,8 @@ extern const char *xtables_ip6addr_to_anyname(const struct in6_addr *);
extern const char *xtables_ip6mask_to_numeric(const struct in6_addr *);
extern void xtables_ip6parse_any(const char *, struct in6_addr **,
struct in6_addr *, unsigned int *);
+extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
+ struct in6_addr **, unsigned int *);
/**
* Print the specified value to standard output, quoting dangerous
diff --git a/ip6tables.c b/ip6tables.c
index 35067f8..31c4b45 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -281,9 +281,9 @@ exit_printhelp(struct xtables_rule_match *matches)
"Options:\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
-"[!] --source -s address[/mask]\n"
+"[!] --source -s address[/mask][,...]\n"
" source specification\n"
-"[!] --destination -d address[/mask]\n"
+"[!] --destination -d address[/mask][,...]\n"
" destination specification\n"
"[!] --in-interface -i input name[+]\n"
" network interface name ([+] for wildcard)\n"
@@ -740,8 +740,10 @@ append_entry(const ip6t_chainlabel chain,
struct ip6t_entry *fw,
unsigned int nsaddrs,
const struct in6_addr saddrs[],
+ const struct in6_addr smasks[],
unsigned int ndaddrs,
const struct in6_addr daddrs[],
+ const struct in6_addr dmasks[],
int verbose,
struct ip6tc_handle *handle)
{
@@ -750,8 +752,10 @@ append_entry(const ip6t_chainlabel chain,
for (i = 0; i < nsaddrs; i++) {
fw->ipv6.src = saddrs[i];
+ fw->ipv6.smsk = smasks[i];
for (j = 0; j < ndaddrs; j++) {
fw->ipv6.dst = daddrs[j];
+ fw->ipv6.dmsk = dmasks[j];
if (verbose)
print_firewall_line(fw, handle);
ret &= ip6tc_append_entry(chain, fw, handle);
@@ -784,8 +788,10 @@ insert_entry(const ip6t_chainlabel chain,
unsigned int rulenum,
unsigned int nsaddrs,
const struct in6_addr saddrs[],
+ const struct in6_addr smasks[],
unsigned int ndaddrs,
const struct in6_addr daddrs[],
+ const struct in6_addr dmasks[],
int verbose,
struct ip6tc_handle *handle)
{
@@ -794,8 +800,10 @@ insert_entry(const ip6t_chainlabel chain,
for (i = 0; i < nsaddrs; i++) {
fw->ipv6.src = saddrs[i];
+ fw->ipv6.smsk = smasks[i];
for (j = 0; j < ndaddrs; j++) {
fw->ipv6.dst = daddrs[j];
+ fw->ipv6.dmsk = dmasks[j];
if (verbose)
print_firewall_line(fw, handle);
ret &= ip6tc_insert_entry(chain, fw, rulenum, handle);
@@ -806,7 +814,7 @@ insert_entry(const ip6t_chainlabel chain,
}
static unsigned char *
-make_delete_mask(struct ip6t_entry *fw, struct xtables_rule_match *matches)
+make_delete_mask(struct xtables_rule_match *matches)
{
/* Establish mask for comparison */
unsigned int size;
@@ -843,8 +851,10 @@ delete_entry(const ip6t_chainlabel chain,
struct ip6t_entry *fw,
unsigned int nsaddrs,
const struct in6_addr saddrs[],
+ const struct in6_addr smasks[],
unsigned int ndaddrs,
const struct in6_addr daddrs[],
+ const struct in6_addr dmasks[],
int verbose,
struct ip6tc_handle *handle,
struct xtables_rule_match *matches)
@@ -853,11 +863,13 @@ delete_entry(const ip6t_chainlabel chain,
int ret = 1;
unsigned char *mask;
- mask = make_delete_mask(fw, matches);
+ mask = make_delete_mask(matches);
for (i = 0; i < nsaddrs; i++) {
fw->ipv6.src = saddrs[i];
+ fw->ipv6.smsk = smasks[i];
for (j = 0; j < ndaddrs; j++) {
fw->ipv6.dst = daddrs[j];
+ fw->ipv6.dmsk = dmasks[j];
if (verbose)
print_firewall_line(fw, handle);
ret &= ip6tc_delete_entry(chain, fw, mask, handle);
@@ -1291,9 +1303,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
int invert = 0;
unsigned int nsaddrs = 0, ndaddrs = 0;
struct in6_addr *saddrs = NULL, *daddrs = NULL;
+ struct in6_addr *smasks = NULL, *dmasks = NULL;
int c, verbose = 0;
- unsigned i;
const char *chain = NULL;
const char *shostnetworkmask = NULL, *dhostnetworkmask = NULL;
const char *policy = NULL, *newname = NULL;
@@ -1811,12 +1823,12 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
}
if (shostnetworkmask)
- xtables_ip6parse_any(shostnetworkmask, &saddrs,
- &fw.ipv6.smsk, &nsaddrs);
+ xtables_ip6parse_multiple(shostnetworkmask, &saddrs,
+ &smasks, &nsaddrs);
if (dhostnetworkmask)
- xtables_ip6parse_any(dhostnetworkmask, &daddrs,
- &fw.ipv6.dmsk, &ndaddrs);
+ xtables_ip6parse_multiple(dhostnetworkmask, &daddrs,
+ &dmasks, &ndaddrs);
if ((nsaddrs > 1 || ndaddrs > 1) &&
(fw.ipv6.invflags & (IP6T_INV_SRCIP | IP6T_INV_DSTIP)))
@@ -1921,13 +1933,15 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
switch (command) {
case CMD_APPEND:
ret = append_entry(chain, e,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle);
break;
case CMD_DELETE:
ret = delete_entry(chain, e,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle, matches);
break;
@@ -1941,7 +1955,8 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
break;
case CMD_INSERT:
ret = insert_entry(chain, e, rulenum - 1,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle);
break;
@@ -2001,12 +2016,10 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
e = NULL;
}
- for (i = 0; i < nsaddrs; i++)
- free(&saddrs[i]);
-
- for (i = 0; i < ndaddrs; i++)
- free(&daddrs[i]);
-
+ free(saddrs);
+ free(smasks);
+ free(daddrs);
+ free(dmasks);
xtables_free_opts(1);
return ret;
diff --git a/iptables.8.in b/iptables.8.in
index 10dcb73..ff7954b 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -236,7 +236,7 @@ Protocol \fBall\fP
will match with all protocols and is taken as default when this
option is omitted.
.TP
-[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
Source specification. \fIAddress\fP
can be either a network name, a hostname (please note that specifying
any name to be resolved with a remote query such as DNS is a really bad idea),
@@ -247,8 +247,11 @@ specifying the number of 1's at the left side of the network mask.
Thus, a mask of \fI24\fP is equivalent to \fI255.255.255.0\fP.
A "!" argument before the address specification inverts the sense of
the address. The flag \fB\-\-src\fP is an alias for this option.
+Multiple addresses can be specified when, but this will \fBreplicate\fP the
+rule (when adding with \-A), or will cause multiple rules to be
+deleted (with \-D).
.TP
-[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP]
+[\fB!\fP] \fB\-d\fP, \fB\-\-destination\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP]
Destination specification.
See the description of the \fB\-s\fP
(source) flag for a detailed description of the syntax. The flag
diff --git a/iptables.c b/iptables.c
index 649baf4..7c075da 100644
--- a/iptables.c
+++ b/iptables.c
@@ -294,9 +294,9 @@ exit_printhelp(struct xtables_rule_match *matches)
"Options:\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
-"[!] --source -s address[/mask]\n"
+"[!] --source -s address[/mask][...]\n"
" source specification\n"
-"[!] --destination -d address[/mask]\n"
+"[!] --destination -d address[/mask][...]\n"
" destination specification\n"
"[!] --in-interface -i input name[+]\n"
" network interface name ([+] for wildcard)\n"
@@ -742,8 +742,10 @@ append_entry(const ipt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
+ const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
+ const struct in_addr dmasks[],
int verbose,
struct iptc_handle *handle)
{
@@ -752,8 +754,10 @@ append_entry(const ipt_chainlabel chain,
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
+ fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
+ fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_append_entry(chain, fw, handle);
@@ -786,8 +790,10 @@ insert_entry(const ipt_chainlabel chain,
unsigned int rulenum,
unsigned int nsaddrs,
const struct in_addr saddrs[],
+ const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
+ const struct in_addr dmasks[],
int verbose,
struct iptc_handle *handle)
{
@@ -796,8 +802,10 @@ insert_entry(const ipt_chainlabel chain,
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
+ fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
+ fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_insert_entry(chain, fw, rulenum, handle);
@@ -808,7 +816,7 @@ insert_entry(const ipt_chainlabel chain,
}
static unsigned char *
-make_delete_mask(struct ipt_entry *fw, struct xtables_rule_match *matches)
+make_delete_mask(struct xtables_rule_match *matches)
{
/* Establish mask for comparison */
unsigned int size;
@@ -845,8 +853,10 @@ delete_entry(const ipt_chainlabel chain,
struct ipt_entry *fw,
unsigned int nsaddrs,
const struct in_addr saddrs[],
+ const struct in_addr smasks[],
unsigned int ndaddrs,
const struct in_addr daddrs[],
+ const struct in_addr dmasks[],
int verbose,
struct iptc_handle *handle,
struct xtables_rule_match *matches)
@@ -855,11 +865,13 @@ delete_entry(const ipt_chainlabel chain,
int ret = 1;
unsigned char *mask;
- mask = make_delete_mask(fw, matches);
+ mask = make_delete_mask(matches);
for (i = 0; i < nsaddrs; i++) {
fw->ip.src.s_addr = saddrs[i].s_addr;
+ fw->ip.smsk.s_addr = smasks[i].s_addr;
for (j = 0; j < ndaddrs; j++) {
fw->ip.dst.s_addr = daddrs[j].s_addr;
+ fw->ip.dmsk.s_addr = dmasks[j].s_addr;
if (verbose)
print_firewall_line(fw, handle);
ret &= iptc_delete_entry(chain, fw, mask, handle);
@@ -1313,7 +1325,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
struct ipt_entry fw, *e = NULL;
int invert = 0;
unsigned int nsaddrs = 0, ndaddrs = 0;
- struct in_addr *saddrs = NULL, *daddrs = NULL;
+ struct in_addr *saddrs = NULL, *smasks = NULL;
+ struct in_addr *daddrs = NULL, *dmasks = NULL;
int c, verbose = 0;
const char *chain = NULL;
@@ -1848,12 +1861,12 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
}
if (shostnetworkmask)
- xtables_ipparse_any(shostnetworkmask, &saddrs,
- &fw.ip.smsk, &nsaddrs);
+ xtables_ipparse_multiple(shostnetworkmask, &saddrs,
+ &smasks, &nsaddrs);
if (dhostnetworkmask)
- xtables_ipparse_any(dhostnetworkmask, &daddrs,
- &fw.ip.dmsk, &ndaddrs);
+ xtables_ipparse_multiple(dhostnetworkmask, &daddrs,
+ &dmasks, &ndaddrs);
if ((nsaddrs > 1 || ndaddrs > 1) &&
(fw.ip.invflags & (IPT_INV_SRCIP | IPT_INV_DSTIP)))
@@ -1961,13 +1974,15 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
switch (command) {
case CMD_APPEND:
ret = append_entry(chain, e,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle);
break;
case CMD_DELETE:
ret = delete_entry(chain, e,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle, matches);
break;
@@ -1981,7 +1996,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
break;
case CMD_INSERT:
ret = insert_entry(chain, e, rulenum - 1,
- nsaddrs, saddrs, ndaddrs, daddrs,
+ nsaddrs, saddrs, smasks,
+ ndaddrs, daddrs, dmasks,
options&OPT_VERBOSE,
*handle);
break;
@@ -2042,7 +2058,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
}
free(saddrs);
+ free(smasks);
free(daddrs);
+ free(dmasks);
xtables_free_opts(1);
return ret;
diff --git a/xtables.c b/xtables.c
index e018331..05154dd 100644
--- a/xtables.c
+++ b/xtables.c
@@ -271,6 +271,18 @@ void *xtables_malloc(size_t size)
return p;
}
+void *xtables_realloc(void *ptr, size_t size)
+{
+ void *p;
+
+ if ((p = realloc(ptr, size)) == NULL) {
+ perror("ip[6]tables: realloc failed");
+ exit(1);
+ }
+
+ return p;
+}
+
static char *get_modprobe(void)
{
int procfile;
@@ -1133,6 +1145,86 @@ static struct in_addr *parse_ipmask(const char *mask)
return &maskaddr;
}
+void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
+ struct in_addr **maskpp, unsigned int *naddrs)
+{
+ struct in_addr *addrp;
+ char buf[256], *p;
+ unsigned int len, i, j, n, count = 1;
+ const char *loop = name;
+
+ while ((loop = strchr(loop, ',')) != NULL) {
+ ++count;
+ ++loop; /* skip ',' */
+ }
+
+ *addrpp = xtables_malloc(sizeof(struct in_addr) * count);
+ *maskpp = xtables_malloc(sizeof(struct in_addr) * count);
+
+ loop = name;
+
+ for (i = 0; i < count; ++i) {
+ if (loop == NULL)
+ break;
+ if (*loop == ',')
+ ++loop;
+ if (*loop == '\0')
+ break;
+ p = strchr(loop, ',');
+ if (p != NULL)
+ len = p - loop;
+ else
+ len = strlen(loop);
+ if (len == 0 || sizeof(buf) - 1 < len)
+ break;
+
+ strncpy(buf, loop, len);
+ buf[len] = '\0';
+ loop += len;
+ if ((p = strrchr(buf, '/')) != NULL) {
+ *p = '\0';
+ addrp = parse_ipmask(p + 1);
+ } else {
+ addrp = parse_ipmask(NULL);
+ }
+ memcpy(*maskpp + i, addrp, sizeof(*addrp));
+
+ /* if a null mask is given, the name is ignored, like in "any/0" */
+ if ((*maskpp + i)->s_addr == 0)
+ /*
+ * A bit pointless to process multiple addresses
+ * in this case...
+ */
+ strcpy(buf, "0.0.0.0");
+
+ addrp = ipparse_hostnetwork(buf, &n);
+ if (n > 1) {
+ count += n - 1;
+ *addrpp = xtables_realloc(*addrpp,
+ sizeof(struct in_addr) * count);
+ *maskpp = xtables_realloc(*maskpp,
+ sizeof(struct in_addr) * count);
+ for (j = 0; j < n; ++j)
+ /* for each new addr */
+ memcpy(*addrpp + i + j, addrp + j,
+ sizeof(*addrp));
+ for (j = 1; j < n; ++j)
+ /* for each new mask */
+ memcpy(*maskpp + i + j, *maskpp + i,
+ sizeof(*addrp));
+ i += n - 1;
+ } else {
+ memcpy(*addrpp + i, addrp, sizeof(*addrp));
+ }
+ /* free what ipparse_hostnetwork had allocated: */
+ free(addrp);
+ }
+ *naddrs = count;
+ for (i = 0; i < n; ++i)
+ (*addrpp+i)->s_addr &= (*maskpp+i)->s_addr;
+}
+
+
/**
* xtables_ipparse_any - transform arbitrary name to in_addr
*
@@ -1364,6 +1456,89 @@ static struct in6_addr *parse_ip6mask(char *mask)
return &maskaddr;
}
+void
+xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
+ struct in6_addr **maskpp, unsigned int *naddrs)
+{
+ struct in6_addr *addrp;
+ char buf[256], *p;
+ unsigned int len, i, j, n, count = 1;
+ const char *loop = name;
+
+ while ((loop = strchr(loop, ',')) != NULL) {
+ ++count;
+ ++loop; /* skip ',' */
+ }
+
+ *addrpp = xtables_malloc(sizeof(struct in6_addr) * count);
+ *maskpp = xtables_malloc(sizeof(struct in6_addr) * count);
+
+ loop = name;
+
+ for (i = 0; i < count /*NB: count can grow*/; ++i) {
+ if (loop == NULL)
+ break;
+ if (*loop == ',')
+ ++loop;
+ if (*loop == '\0')
+ break;
+ p = strchr(loop, ',');
+ if (p != NULL)
+ len = p - loop;
+ else
+ len = strlen(loop);
+ if (len == 0 || sizeof(buf) - 1 < len)
+ break;
+
+ strncpy(buf, loop, len);
+ buf[len] = '\0';
+ loop += len;
+ if ((p = strrchr(buf, '/')) != NULL) {
+ *p = '\0';
+ addrp = parse_ip6mask(p + 1);
+ } else {
+ addrp = parse_ip6mask(NULL);
+ }
+ memcpy(*maskpp + i, addrp, sizeof(*addrp));
+
+ /* if a null mask is given, the name is ignored, like in "any/0" */
+ if (memcmp(*maskpp + i, &in6addr_any, sizeof(in6addr_any)) == 0)
+ strcpy(buf, "::");
+
+ addrp = ip6parse_hostnetwork(buf, &n);
+ /* ip6parse_hostnetwork only ever returns one IP
+ address (it exits if the resolution fails).
+ Therefore, n will always be 1 here. Leaving the
+ code below in anyway in case ip6parse_hostnetwork
+ is improved some day to behave like
+ ipparse_hostnetwork: */
+ if (n > 1) {
+ count += n - 1;
+ *addrpp = xtables_realloc(*addrpp,
+ sizeof(struct in6_addr) * count);
+ *maskpp = xtables_realloc(*maskpp,
+ sizeof(struct in6_addr) * count);
+ for (j = 0; j < n; ++j)
+ /* for each new addr */
+ memcpy(*addrpp + i + j, addrp + j,
+ sizeof(*addrp));
+ for (j = 1; j < n; ++j)
+ /* for each new mask */
+ memcpy(*maskpp + i + j, *maskpp + i,
+ sizeof(*addrp));
+ i += n - 1;
+ } else {
+ memcpy(*addrpp + i, addrp, sizeof(*addrp));
+ }
+ /* free what ip6parse_hostnetwork had allocated: */
+ free(addrp);
+ }
+ *naddrs = count;
+ for (i = 0; i < n; ++i)
+ for (j = 0; j < 4; ++j)
+ (*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
+}
+
void xtables_ip6parse_any(const char *name, struct in6_addr **addrpp,
struct in6_addr *maskp, unsigned int *naddrs)
{
--
1.6.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag
2009-06-05 19:25 iptables: pull request June-05 Jan Engelhardt
2009-06-05 19:25 ` [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d Jan Engelhardt
@ 2009-06-05 19:25 ` Jan Engelhardt
2009-06-08 13:46 ` Patrick McHardy
2009-06-05 19:25 ` [PATCH 3/3] extensions: remove redundant casts Jan Engelhardt
2009-06-08 13:45 ` iptables: pull request June-05 Patrick McHardy
3 siblings, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-05 19:25 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libipt_DNAT.man | 7 +++++--
extensions/libipt_SAME.man | 2 ++
extensions/libipt_SNAT.man | 7 +++++--
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index 22e84c6..d1e0a3a 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -32,5 +32,8 @@ anymore.
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.22).
-.RS
-.PP
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
diff --git a/extensions/libipt_SAME.man b/extensions/libipt_SAME.man
index b862aa4..a99dc73 100644
--- a/extensions/libipt_SAME.man
+++ b/extensions/libipt_SAME.man
@@ -1,6 +1,8 @@
Similar to SNAT/DNAT depending on chain: it takes a range of addresses
(`\-\-to 1.2.3.4\-1.2.3.7') and gives a client the same
source-/destination-address for each connection.
+.PP
+N.B.: The DNAT target's \fB\-\-persistent\fP option replaced the SAME target.
.TP
\fB\-\-to\fP \fIipaddr\fP[\fB\-\fP\fIipaddr\fP]
Addresses to map source to. May be specified more than once for
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index 040571b..6b828fd 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -30,5 +30,8 @@ anymore.
If option
\fB\-\-random\fP
is used then port mapping will be randomized (kernel >= 2.6.21).
-.RS
-.PP
+.TP
+\fB\-\-persistent\fP
+Gives a client the same source-/destination-address for each connection.
+This supersedes the SAME target. Support for persistent mappings is available
+from 2.6.29-rc2.
--
1.6.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH 3/3] extensions: remove redundant casts
2009-06-05 19:25 iptables: pull request June-05 Jan Engelhardt
2009-06-05 19:25 ` [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d Jan Engelhardt
2009-06-05 19:25 ` [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag Jan Engelhardt
@ 2009-06-05 19:25 ` Jan Engelhardt
2009-06-08 13:47 ` Patrick McHardy
2009-06-08 13:45 ` iptables: pull request June-05 Patrick McHardy
3 siblings, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-05 19:25 UTC (permalink / raw)
To: kaber; +Cc: netfilter-devel
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
extensions/libipt_realm.c | 4 ++--
extensions/libxt_multiport.c | 12 ++++++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 0580610..c9e1760 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -86,14 +86,14 @@ static void load_realms(void)
continue;
/* found valid data */
- newnm = (struct realmname*)malloc(sizeof(struct realmname));
+ newnm = malloc(sizeof(struct realmname));
if (newnm == NULL) {
perror("libipt_realm: malloc failed");
exit(1);
}
newnm->id = id;
newnm->len = nxt - cur;
- newnm->name = (char*)malloc(newnm->len + 1);
+ newnm->name = malloc(newnm->len + 1);
if (newnm->name == NULL) {
perror("libipt_realm: malloc failed");
exit(1);
diff --git a/extensions/libxt_multiport.c b/extensions/libxt_multiport.c
index c3c8bb9..9959a20 100644
--- a/extensions/libxt_multiport.c
+++ b/extensions/libxt_multiport.c
@@ -215,7 +215,7 @@ static int
multiport_parse6(int c, char **argv, int invert, unsigned int *flags,
const void *e, struct xt_entry_match **match)
{
- const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+ const struct ip6t_entry *entry = e;
return __multiport_parse(c, argv, invert, flags, match,
entry->ipv6.proto, entry->ipv6.invflags);
}
@@ -278,7 +278,7 @@ static int
multiport_parse6_v1(int c, char **argv, int invert, unsigned int *flags,
const void *e, struct xt_entry_match **match)
{
- const struct ip6t_entry *entry = (const struct ip6t_entry *)e;
+ const struct ip6t_entry *entry = e;
return __multiport_parse_v1(c, argv, invert, flags, match,
entry->ipv6.proto, entry->ipv6.invflags);
}
@@ -358,7 +358,7 @@ static void multiport_print(const void *ip_void,
static void multiport_print6(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+ const struct ip6t_ip6 *ip = ip_void;
__multiport_print(match, numeric, ip->proto);
}
@@ -413,7 +413,7 @@ static void multiport_print_v1(const void *ip_void,
static void multiport_print6_v1(const void *ip_void,
const struct xt_entry_match *match, int numeric)
{
- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+ const struct ip6t_ip6 *ip = ip_void;
__multiport_print_v1(match, numeric, ip->proto);
}
@@ -456,7 +456,7 @@ static void multiport_save(const void *ip_void,
static void multiport_save6(const void *ip_void,
const struct xt_entry_match *match)
{
- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+ const struct ip6t_ip6 *ip = ip_void;
__multiport_save(match, ip->proto);
}
@@ -505,7 +505,7 @@ static void multiport_save_v1(const void *ip_void,
static void multiport_save6_v1(const void *ip_void,
const struct xt_entry_match *match)
{
- const struct ip6t_ip6 *ip = (const struct ip6t_ip6 *)ip_void;
+ const struct ip6t_ip6 *ip = ip_void;
__multiport_save_v1(match, ip->proto);
}
--
1.6.3.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-05 19:25 ` [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d Jan Engelhardt
@ 2009-06-06 6:53 ` Pablo Neira Ayuso
2009-06-06 11:16 ` Jan Engelhardt
2009-06-08 13:50 ` Patrick McHardy
0 siblings, 2 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2009-06-06 6:53 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: kaber, netfilter-devel
Hi Jan,
Jan Engelhardt wrote:
> From: Michael Granzow <mgranzow@zeus.com>
>
> libiptc already supports adding and deleting multiple rules with
> different addresses, so it only needs to be wired up to the options.
>
> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>
> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
I think this is handy for users so I can find it useful.
The only concern that I have with this is that it changes the existing
1:1 mapping between commands and iptables rules. I mean, people may get
confused because of this "rule expansion" feature, they may think that
we natively support layer 3 address sets? Probably it's a matter of
documenting this.
I'd like to know what Patrick thinks about this anyway.
Just a minor nitpick:
> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
^^^^
This sentence is incomplete? I suggest to refer to the rule expansion
feature.
> +rule (when adding with \-A), or will cause multiple rules to be
> +deleted (with \-D).
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-06 6:53 ` Pablo Neira Ayuso
@ 2009-06-06 11:16 ` Jan Engelhardt
2009-06-07 21:12 ` Pablo Neira Ayuso
2009-06-08 13:50 ` Patrick McHardy
1 sibling, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-06 11:16 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: kaber, netfilter-devel
On Saturday 2009-06-06 08:53, Pablo Neira Ayuso wrote:
>>
>> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>>
>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
>
>I think this is handy for users so I can find it useful.
>
>The only concern that I have with this is that it changes the existing
>1:1 mapping between commands and iptables rules. I mean, people may get
>confused because of this "rule expansion" feature, they may think that
>we natively support layer 3 address sets? Probably it's a matter of
>documenting this.
Hence:
>> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
> ^^^^
>This sentence is incomplete? I suggest to refer to the rule expansion
>feature.
Well, I think <b>replicate</b> hits the expansion pretty good.
>> +rule (when adding with \-A), or will cause multiple rules to be
>> +deleted (with \-D).
I'll remove the 'when' in a rebase.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-06 11:16 ` Jan Engelhardt
@ 2009-06-07 21:12 ` Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2009-06-07 21:12 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: kaber, netfilter-devel
Jan Engelhardt wrote:
> On Saturday 2009-06-06 08:53, Pablo Neira Ayuso wrote:
>>> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>>>
>>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
>> I think this is handy for users so I can find it useful.
>>
>> The only concern that I have with this is that it changes the existing
>> 1:1 mapping between commands and iptables rules. I mean, people may get
>> confused because of this "rule expansion" feature, they may think that
>> we natively support layer 3 address sets? Probably it's a matter of
>> documenting this.
>
> Hence:
>
>>> +Multiple addresses can be specified when, but this will \fBreplicate\fP the
>> ^^^^
>> This sentence is incomplete? I suggest to refer to the rule expansion
>> feature.
>
> Well, I think <b>replicate</b> hits the expansion pretty good.
To replicate means to make a copy, and this is not what this does. But,
to be frank, I really don't care.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: iptables: pull request June-05
2009-06-05 19:25 iptables: pull request June-05 Jan Engelhardt
` (2 preceding siblings ...)
2009-06-05 19:25 ` [PATCH 3/3] extensions: remove redundant casts Jan Engelhardt
@ 2009-06-08 13:45 ` Patrick McHardy
3 siblings, 0 replies; 17+ messages in thread
From: Patrick McHardy @ 2009-06-08 13:45 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
> Hi,
>
>
> in another working copy I found these accumulated pieces:
>
> Jan Engelhardt (2):
> DNAT/SNAT: add manpage documentation for --persistent flag
> extensions: remove redundant casts
>
> Michael Granzow (1):
> iptables: accept multiple IP address specifications for -s, -d
I'll happily take 2 and 3, but 1 will have to wait until after
the release.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag
2009-06-05 19:25 ` [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag Jan Engelhardt
@ 2009-06-08 13:46 ` Patrick McHardy
0 siblings, 0 replies; 17+ messages in thread
From: Patrick McHardy @ 2009-06-08 13:46 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
Applied, thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 3/3] extensions: remove redundant casts
2009-06-05 19:25 ` [PATCH 3/3] extensions: remove redundant casts Jan Engelhardt
@ 2009-06-08 13:47 ` Patrick McHardy
0 siblings, 0 replies; 17+ messages in thread
From: Patrick McHardy @ 2009-06-08 13:47 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Jan Engelhardt wrote:
Also applied, thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-06 6:53 ` Pablo Neira Ayuso
2009-06-06 11:16 ` Jan Engelhardt
@ 2009-06-08 13:50 ` Patrick McHardy
2009-06-10 12:16 ` Jan Engelhardt
1 sibling, 1 reply; 17+ messages in thread
From: Patrick McHardy @ 2009-06-08 13:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Jan Engelhardt, netfilter-devel
Pablo Neira Ayuso wrote:
> Hi Jan,
>
> Jan Engelhardt wrote:
>> From: Michael Granzow <mgranzow@zeus.com>
>>
>> libiptc already supports adding and deleting multiple rules with
>> different addresses, so it only needs to be wired up to the options.
>>
>> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>>
>> References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2
>
> I think this is handy for users so I can find it useful.
>
> The only concern that I have with this is that it changes the existing
> 1:1 mapping between commands and iptables rules. I mean, people may get
> confused because of this "rule expansion" feature, they may think that
> we natively support layer 3 address sets? Probably it's a matter of
> documenting this.
>
> I'd like to know what Patrick thinks about this anyway.
No objections besides that its too large for this late in the cycle.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-08 13:50 ` Patrick McHardy
@ 2009-06-10 12:16 ` Jan Engelhardt
2009-06-10 12:19 ` Patrick McHardy
2009-06-25 17:08 ` Jan Engelhardt
0 siblings, 2 replies; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-10 12:16 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, netfilter-devel
On Monday 2009-06-08 15:50, Patrick McHardy wrote:
>>> From: Michael Granzow <mgranzow@zeus.com>
>>>
>>> libiptc already supports adding and deleting multiple rules with
>>> different addresses, so it only needs to be wired up to the options.
>>>
>>> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>
> No objections besides that its too large for this late in the cycle.
>
Git is not as castrated as Hg when it comes to branches, so why not
make a "stable" branch that is then regularly merged into master? :)
The concept fares well with e.g. pam_mount (look at its gitk tree from v0.43
downards); automake also considered, and now uses, this scheme.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-10 12:16 ` Jan Engelhardt
@ 2009-06-10 12:19 ` Patrick McHardy
2009-06-25 17:08 ` Jan Engelhardt
1 sibling, 0 replies; 17+ messages in thread
From: Patrick McHardy @ 2009-06-10 12:19 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, netfilter-devel
Jan Engelhardt wrote:
> On Monday 2009-06-08 15:50, Patrick McHardy wrote:
>>>> From: Michael Granzow <mgranzow@zeus.com>
>>>>
>>>> libiptc already supports adding and deleting multiple rules with
>>>> different addresses, so it only needs to be wired up to the options.
>>>>
>>>> # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP
>> No objections besides that its too large for this late in the cycle.
>>
> Git is not as castrated as Hg when it comes to branches, so why not
> make a "stable" branch that is then regularly merged into master? :)
I don't see why that would currently be necessary. We're talking
about a few days, and in fact I'd rather have people test the
current code before the release instead of hacking on new things :)
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-10 12:16 ` Jan Engelhardt
2009-06-10 12:19 ` Patrick McHardy
@ 2009-06-25 17:08 ` Jan Engelhardt
2009-07-16 14:24 ` Jan Engelhardt
1 sibling, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-06-25 17:08 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
On 2009-06-10 12:19:59, Patrick wrote:
>On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>
>>Git is not as castrated as Hg when it comes to branches, so why not
>>make a "stable" branch that is then regularly merged into master? :)
>
>I don't see why that would currently be necessary. We're talking
>about a few days, and in fact I'd rather have people test the
>current code before the release instead of hacking on new things :)
Yeah but in general? The - judging from their version numbers -
x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
features because there is just master, in which case it should
have been the new 1.4.4 already.
So either z is bumped more often and S-versions will not
be released, or S only receives fixes, necessiting a separate branch.
Objections?
Jan
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-06-25 17:08 ` Jan Engelhardt
@ 2009-07-16 14:24 ` Jan Engelhardt
2009-07-17 14:31 ` Patrick McHardy
0 siblings, 1 reply; 17+ messages in thread
From: Jan Engelhardt @ 2009-07-16 14:24 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
On Thursday 2009-06-25 19:08, Jan Engelhardt wrote:
>On 2009-06-10 12:19:59, Patrick wrote:
>>On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>>
>>>Git is not as castrated as Hg when it comes to branches, so why not
>>>make a "stable" branch that is then regularly merged into master? :)
>>
>>I don't see why that would currently be necessary. We're talking
>>about a few days, and in fact I'd rather have people test the
>>current code before the release instead of hacking on new things :)
>
>Yeah but in general? The - judging from their version numbers -
>x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>features because there is just master, in which case it should
>have been the new 1.4.4 already.
>So either z is bumped more often and S-versions will not
>be released, or S only receives fixes, necessiting a separate branch.
>Objections?
It would be cool to get an answer here so I know how to twingle
patchbranches that I'd like to submit.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-07-16 14:24 ` Jan Engelhardt
@ 2009-07-17 14:31 ` Patrick McHardy
2009-07-17 15:55 ` Jan Engelhardt
0 siblings, 1 reply; 17+ messages in thread
From: Patrick McHardy @ 2009-07-17 14:31 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
Jan Engelhardt wrote:
> On Thursday 2009-06-25 19:08, Jan Engelhardt wrote:
>> On 2009-06-10 12:19:59, Patrick wrote:
>>> On Wednesday 2009-06-10 14:16, Jan Engelhardt wrote:
>>>> Git is not as castrated as Hg when it comes to branches, so why not
>>>> make a "stable" branch that is then regularly merged into master? :)
>>> I don't see why that would currently be necessary. We're talking
>>> about a few days, and in fact I'd rather have people test the
>>> current code before the release instead of hacking on new things :)
>> Yeah but in general? The - judging from their version numbers -
>> x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>> features because there is just master, in which case it should
>> have been the new 1.4.4 already.
>> So either z is bumped more often and S-versions will not
>> be released, or S only receives fixes, necessiting a separate branch.
>> Objections?
>
> It would be cool to get an answer here so I know how to twingle
> patchbranches that I'd like to submit.
Well, I don't object to having a stable branch when we actually do
need to release pure bug-fix versions. But I'd say those can be
created on demand.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d
2009-07-17 14:31 ` Patrick McHardy
@ 2009-07-17 15:55 ` Jan Engelhardt
0 siblings, 0 replies; 17+ messages in thread
From: Jan Engelhardt @ 2009-07-17 15:55 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Pablo Neira Ayuso, Netfilter Developer Mailing List
On Friday 2009-07-17 16:31, Patrick McHardy wrote:
>>> Yeah but in general? The - judging from their version numbers -
>>> x.y.z.S stable versions like 1.4.3.1 used to receive lots of new
>>> features because there is just master, in which case it should
>>> have been the new 1.4.4 already.
>>> So either z is bumped more often and S-versions will not
>>> be released, or S only receives fixes, necessiting a separate branch.
>>> Objections?
>>
>> It would be cool to get an answer here so I know how to twingle
>> patchbranches that I'd like to submit.
>
>Well, I don't object to having a stable branch when we actually do
>need to release pure bug-fix versions. But I'd say those can be
>created on demand.
>
Yes, but it requires that any bugfix commit does not have master as a
descendent (otherwise it would be perturbed by dev commits). The core
essential of a (de facto) stable branch is that solely the most
recent tag, (or stable commits), are a parent.
That is what I want to be sure of, esp. when others send commits.
Below's patches respect this.
"Please pull from..."
git://dev.medozas.de/iptables stable
the two (2) things that Jan Engelhardt piled up:
xt_conntrack: revision 2 for enlarged state_mask member
libxt_helper: fix invalid passed option to check_inverse
extensions/libxt_conntrack.c | 175 +++++++++++++++++++++++++++-----
extensions/libxt_helper.c | 2 +-
include/linux/netfilter/xt_conntrack.h | 13 +++
3 files changed, 162 insertions(+), 28 deletions(-)
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2009-07-17 15:55 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-06-05 19:25 iptables: pull request June-05 Jan Engelhardt
2009-06-05 19:25 ` [PATCH 1/3] iptables: accept multiple IP address specifications for -s, -d Jan Engelhardt
2009-06-06 6:53 ` Pablo Neira Ayuso
2009-06-06 11:16 ` Jan Engelhardt
2009-06-07 21:12 ` Pablo Neira Ayuso
2009-06-08 13:50 ` Patrick McHardy
2009-06-10 12:16 ` Jan Engelhardt
2009-06-10 12:19 ` Patrick McHardy
2009-06-25 17:08 ` Jan Engelhardt
2009-07-16 14:24 ` Jan Engelhardt
2009-07-17 14:31 ` Patrick McHardy
2009-07-17 15:55 ` Jan Engelhardt
2009-06-05 19:25 ` [PATCH 2/3] DNAT/SNAT: add manpage documentation for --persistent flag Jan Engelhardt
2009-06-08 13:46 ` Patrick McHardy
2009-06-05 19:25 ` [PATCH 3/3] extensions: remove redundant casts Jan Engelhardt
2009-06-08 13:47 ` Patrick McHardy
2009-06-08 13:45 ` iptables: pull request June-05 Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.