From patchwork Wed Dec 4 18:17:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204323 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCD3drszB3t7 for ; Thu, 5 Dec 2019 05:18:00 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731762AbfLDSR6 (ORCPT ); Wed, 4 Dec 2019 13:17:58 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:33405 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731478AbfLDSR5 (ORCPT ); Wed, 4 Dec 2019 13:17:57 -0500 Received: by mail-wr1-f68.google.com with SMTP id b6so390375wrq.0 for ; Wed, 04 Dec 2019 10:17:56 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:user-agent :mime-version:content-transfer-encoding; bh=XJM6mwmAHv0HkyeA4xMbQkhvfamB1JPPALvK71vfYVQ=; b=G7WDa6zhnSltJE4BHkopG2At45e33UZXu/mk7/Bm4qnBdwe0SX4qAnlKAV+Tks2fsC SdpR4InDWi1Ux9kDB67gGZtfumxjkJge8ZiGmNisHV/isBKpK2HscZ486fmKvwEY9YpT tznRcou8AOTwJi/Dufl+7doMKU8g/ddkWC/UXC96seqsJMx8l7BIRklTbToE2+gZwCgO MJsi4WkxP/WWr3autKsEsaIdhLBk+QaQF1kbFz+fifAa+2JYnHnUTTYTVm3VmDXWIqZz tggHwWd/syFSoC9JkqRhCtHvX9mjQBbAh0/rxX8zVqjiRrAzO12NQRsgii2A6xH7wJLE fYMg== X-Gm-Message-State: APjAAAWUbKFCWdQ4EGSj9lauo1ds5oOoveXD2dvnG7jsiSrqnDR/T/1d 3pVXNt58LZz1ERa7zBfkyT2hu0J93Vo= X-Google-Smtp-Source: APXvYqy3Ly/0ZiU2B0hNyVdioirbV8GFHinkZQ2h7xnAAKQVHmg0wyvTHepGhAqUl9kyYOZWQlufaA== X-Received: by 2002:a5d:4cc9:: with SMTP id c9mr5425981wrt.70.1575483475640; Wed, 04 Dec 2019 10:17:55 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id x17sm9167123wrt.74.2019.12.04.10.17.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:17:55 -0800 (PST) Subject: [iptables PATCH 1/7] iptables: install iptables-apply script and manpage From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:17:53 +0100 Message-ID: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane We have the iptables-apply script in the tree (and in the release tarball), but is not being installed anywhere. Same for the manpage. Arturo says: I'm not a strong supporter of this script, but there are many users of it, so better do things right and do a proper installation. This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- iptables/Makefile.am | 7 ++++++- iptables/ip6tables-apply.8 | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 iptables/ip6tables-apply.8 diff --git a/iptables/Makefile.am b/iptables/Makefile.am index fc834e0f..71b1b1d4 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -53,7 +53,11 @@ sbin_PROGRAMS += xtables-nft-multi endif man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ iptables-xml.1 ip6tables.8 ip6tables-restore.8 \ - ip6tables-save.8 iptables-extensions.8 + ip6tables-save.8 iptables-extensions.8 \ + iptables-apply.8 ip6tables-apply.8 + +sbin_SCRIPT = iptables-apply + if ENABLE_NFTABLES man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ iptables-translate.8 ip6tables-translate.8 \ @@ -106,3 +110,4 @@ install-exec-hook: for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done; for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done; + ${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply" diff --git a/iptables/ip6tables-apply.8 b/iptables/ip6tables-apply.8 new file mode 100644 index 00000000..994b487a --- /dev/null +++ b/iptables/ip6tables-apply.8 @@ -0,0 +1 @@ +.so man8/iptables-apply.8 From patchwork Wed Dec 4 18:18:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204324 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCN2JXTzB3tC for ; Thu, 5 Dec 2019 05:18:08 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731961AbfLDSSH (ORCPT ); Wed, 4 Dec 2019 13:18:07 -0500 Received: from mail-wr1-f48.google.com ([209.85.221.48]:34785 "EHLO mail-wr1-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731922AbfLDSSE (ORCPT ); Wed, 4 Dec 2019 13:18:04 -0500 Received: by mail-wr1-f48.google.com with SMTP id t2so377163wrr.1 for ; Wed, 04 Dec 2019 10:18:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=kj7IN6qWXM5ZAsPIqVihLSWx0mjsdTOya/XoVSKMexc=; b=PWUOLaXKlizth8RcMLmyXQTYzMkpfvlP8tJ/EZt1y2KMlEKUHU7E6InVhvYflLx8CA 6iItk7fIeBxWREEsM3XQbbjX+hgH47115wulbhJOkU0and+GXDzNVALTRtpb2SLvbP7/ cI0oWZHgcQWq9eEYX2IF//5DaC8BhWotk/LXfw67431eif3ukvHo9U+K9FUREu7mEqNf u29CvnCg0NokTcXLlbWrTa0ryigpNYlxnCRQUB4UzgYV+T9XQ1N8R6jTb1SRcLvxUrHK 1FiN8B0LCG5HEE3xvogMxID5sG73f8QiMpAM+BC7n+jmNdz1p8S71MOF+VwM27niMMbA 9bDQ== X-Gm-Message-State: APjAAAUhmIefVzNdOC8N9tNHnm7O4xOzjh1lxQOGD3ajdy5Q48ZcKJ8s Awjb4e2LrXYTxRVmsxSld09Ljz/Qzdw= X-Google-Smtp-Source: APXvYqznLDBAYEMDLk2YC5sKMXONw1aTY832YwnUfPYN1FQ8zOTUDykgKiwL2o1Qay58CP/00jyTgg== X-Received: by 2002:a05:6000:f:: with SMTP id h15mr5310472wrx.90.1575483482656; Wed, 04 Dec 2019 10:18:02 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id f1sm9193640wrp.93.2019.12.04.10.18.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:02 -0800 (PST) Subject: [iptables PATCH 2/7] iptables: cleanup "allows to" usage From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:00 +0100 Message-ID: <157548348081.125234.8160382864595983342.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane Gramatical cleanup. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- extensions/libipt_ECN.man | 2 +- extensions/libxt_AUDIT.man | 2 +- extensions/libxt_CHECKSUM.man | 2 +- extensions/libxt_CT.man | 2 +- extensions/libxt_DSCP.man | 2 +- extensions/libxt_TCPMSS.man | 2 +- extensions/libxt_osf.c | 2 +- iptables/iptables.8.in | 4 ++-- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man index a9cbe109..8ae7996e 100644 --- a/extensions/libipt_ECN.man +++ b/extensions/libipt_ECN.man @@ -1,4 +1,4 @@ -This target allows to selectively work around known ECN blackholes. +This target selectively works around known ECN blackholes. It can only be used in the mangle table. .TP \fB\-\-ecn\-tcp\-remove\fP diff --git a/extensions/libxt_AUDIT.man b/extensions/libxt_AUDIT.man index 4f5562e8..57cce8c4 100644 --- a/extensions/libxt_AUDIT.man +++ b/extensions/libxt_AUDIT.man @@ -1,4 +1,4 @@ -This target allows to create audit records for packets hitting the target. +This target allows creates audit records for packets hitting the target. It can be used to record accepted, dropped, and rejected packets. See auditd(8) for additional details. .TP diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man index 92ae700f..726f4ea6 100644 --- a/extensions/libxt_CHECKSUM.man +++ b/extensions/libxt_CHECKSUM.man @@ -1,4 +1,4 @@ -This target allows to selectively work around broken/old applications. +This target selectively works around broken/old applications. It can only be used in the mangle table. .TP \fB\-\-checksum\-fill\fP diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man index e992120a..fc692f9a 100644 --- a/extensions/libxt_CT.man +++ b/extensions/libxt_CT.man @@ -1,4 +1,4 @@ -The CT target allows to set parameters for a packet or its associated +The CT target sets parameters for a packet or its associated connection. The target attaches a "template" connection tracking entry to the packet, which is then used by the conntrack core when initializing a new ct entry. This target is thus only valid in the "raw" table. diff --git a/extensions/libxt_DSCP.man b/extensions/libxt_DSCP.man index 551ba2e1..5385c97a 100644 --- a/extensions/libxt_DSCP.man +++ b/extensions/libxt_DSCP.man @@ -1,4 +1,4 @@ -This target allows to alter the value of the DSCP bits within the TOS +This target alters the value of the DSCP bits within the TOS header of the IPv4 packet. As this manipulates a packet, it can only be used in the mangle table. .TP diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man index 8da8e761..25b480dd 100644 --- a/extensions/libxt_TCPMSS.man +++ b/extensions/libxt_TCPMSS.man @@ -1,4 +1,4 @@ -This target allows to alter the MSS value of TCP SYN packets, to control +This target alters the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). Of course, it can only be used diff --git a/extensions/libxt_osf.c b/extensions/libxt_osf.c index 496b4805..c567d9e0 100644 --- a/extensions/libxt_osf.c +++ b/extensions/libxt_osf.c @@ -40,7 +40,7 @@ static void osf_help(void) "--ttl level Use some TTL check extensions to determine OS:\n" " 0 true ip and fingerprint TTL comparison. Works for LAN.\n" " 1 check if ip TTL is less than fingerprint one. Works for global addresses.\n" - " 2 do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n" + " 2 do not compare TTL at all. This allows NMAP detection, but can produce false results.\n" "--log level Log determined genres into dmesg even if they do not match desired one:\n" " 0 log all matched or unknown signatures.\n" " 1 log only first one.\n" diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index 78df8f08..054564b3 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -245,13 +245,13 @@ add, delete, insert, replace and append commands). This option has no effect in iptables and iptables-restore. If a rule using the \fB\-4\fP option is inserted with (and only with) ip6tables-restore, it will be silently ignored. Any other uses will throw an -error. This option allows to put both IPv4 and IPv6 rules in a single rule file +error. This option allows IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. .TP \fB\-6\fP, \fB\-\-ipv6\fP If a rule using the \fB\-6\fP option is inserted with (and only with) iptables-restore, it will be silently ignored. Any other uses will throw an -error. This option allows to put both IPv4 and IPv6 rules in a single rule file +error. This option allows IPv4 and IPv6 rules in a single rule file for use with both iptables-restore and ip6tables-restore. This option has no effect in ip6tables and ip6tables-restore. .TP From patchwork Wed Dec 4 18:18:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204325 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCT3Gb7z9sXD for ; Thu, 5 Dec 2019 05:18:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731843AbfLDSSM (ORCPT ); Wed, 4 Dec 2019 13:18:12 -0500 Received: from mail-wm1-f68.google.com ([209.85.128.68]:40265 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731786AbfLDSSL (ORCPT ); Wed, 4 Dec 2019 13:18:11 -0500 Received: by mail-wm1-f68.google.com with SMTP id t14so769772wmi.5 for ; Wed, 04 Dec 2019 10:18:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=zP8V5PfYV+g0heajVNx7u2GpX48SZa/UXXZgRNeW7xI=; b=YLykceTN64DifintBgr/6qnY0YtCFGaQH1NrSJfXSeJRv+jS4l2qn+9SlALKWC85vL 90UKMzj4ElO2aHhBQs7hlHJm8TtWf04oEm0h5hNyqRlIe18Y7URDA5QhU0uBKpHxm+ck H6H9OA3SSpuKBj2LJ550LSgG6OVaB9DoJJbe2FSsB5kYkUm8SC/KFoDP8tXWep6el2V9 zQA2cJ2wphXiVEZvbn4v+psDjBgByydsjIWwHMAUAa+TQmp0JzF8aNN4ocF5dxod+6LC tBp68JwxoNF+7QM8NW0FDU7AAJn1YPRIUuvfvv6JO+SLsTMZseflv9VjP00qpd6v6sLt SL9Q== X-Gm-Message-State: APjAAAU58ZBKCae29ulm0hN8Q7Y4Ap720XPJAq1dTtPFHC20XBbCbldJ 05VLiJkbK3sN2QnrddMrY3uBDTGBTiw= X-Google-Smtp-Source: APXvYqynZeMnJ3gRYq4FhsB/+jB4rU7scGLSSait1nYYXQKZBN92kj9tg4w8BlONMKf3w/zmdEhmYw== X-Received: by 2002:a7b:c956:: with SMTP id i22mr877310wml.65.1575483489384; Wed, 04 Dec 2019 10:18:09 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id a186sm7542787wmd.41.2019.12.04.10.18.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:08 -0800 (PST) Subject: [iptables PATCH 3/7] extensions: manpages: cleanup hyphens From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:07 +0100 Message-ID: <157548348778.125234.14968882486427385674.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane Cleanup, scape hyphens so they are not interpreted by the manpage generator. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- extensions/libip6t_DNPT.man | 2 +- extensions/libip6t_SNPT.man | 2 +- extensions/libxt_HMARK.man | 2 +- extensions/libxt_SET.man | 2 +- extensions/libxt_TOS.man | 2 +- extensions/libxt_bpf.man | 2 +- extensions/libxt_cluster.man | 2 +- extensions/libxt_osf.man | 4 ++-- extensions/libxt_set.man | 2 +- 9 files changed, 10 insertions(+), 10 deletions(-) diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man index 61beeee8..9b060f5b 100644 --- a/extensions/libip6t_DNPT.man +++ b/extensions/libip6t_DNPT.man @@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 .PP You may need to enable IPv6 neighbor proxy: .IP -sysctl -w net.ipv6.conf.all.proxy_ndp=1 +sysctl \-w net.ipv6.conf.all.proxy_ndp=1 .PP You also have to use the .B NOTRACK diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man index 78d644a7..97e0071b 100644 --- a/extensions/libip6t_SNPT.man +++ b/extensions/libip6t_SNPT.man @@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64 .PP You may need to enable IPv6 neighbor proxy: .IP -sysctl -w net.ipv6.conf.all.proxy_ndp=1 +sysctl \-w net.ipv6.conf.all.proxy_ndp=1 .PP You also have to use the .B NOTRACK diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man index e7b5426d..cd7ffd54 100644 --- a/extensions/libxt_HMARK.man +++ b/extensions/libxt_HMARK.man @@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe .PP -iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000 +iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000 \-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man index 78a9ae0f..c4713378 100644 --- a/extensions/libxt_SET.man +++ b/extensions/libxt_SET.man @@ -42,5 +42,5 @@ and \fB\-\-map\-queue\fP flags can be used in the OUTPUT, FORWARD and POSTROUTING chains. .PP -Use of -j SET requires that ipset kernel support is provided, which, for +Use of \-j SET requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39. diff --git a/extensions/libxt_TOS.man b/extensions/libxt_TOS.man index 58118ec2..de2d22dc 100644 --- a/extensions/libxt_TOS.man +++ b/extensions/libxt_TOS.man @@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is a bug whereby IPv6 TOS mangling does not behave as documented and differs from the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it needs to be inverted before applying it to the original TOS field. However, the -aformentioned kernels forgo the inversion which breaks --set-tos and its +aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its mnemonics. diff --git a/extensions/libxt_bpf.man b/extensions/libxt_bpf.man index 1d2aa9e6..d6da2043 100644 --- a/extensions/libxt_bpf.man +++ b/extensions/libxt_bpf.man @@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC \fB\-\-bytecode\fP \fIcode\fP Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility. .PP -The code format is similar to the output of the tcpdump -ddd command: one line +The code format is similar to the output of the tcpdump \-ddd command: one line that stores the number of instructions, followed by one line for each instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal notation. Fields encode the operation, jump offset if true, jump offset if diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man index 94b4b205..23448e26 100644 --- a/extensions/libxt_cluster.man +++ b/extensions/libxt_cluster.man @@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \-\-cluster\-hash\-seed 0xdeadbeef -\-j MARK -\-set\-mark 0xffff +\-j MARK \-\-set\-mark 0xffff .IP iptables \-A PREROUTING \-t mangle \-i eth1 \-m mark ! \-\-mark 0xffff \-j DROP diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man index 5ba92ce0..ecb6ee5f 100644 --- a/extensions/libxt_osf.man +++ b/extensions/libxt_osf.man @@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load fingerprints from a file, use: .PP -\fBnfnl_osf -f /usr/share/xtables/pf.os\fP +\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP .PP To remove them again, .PP -\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP +\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP .PP The fingerprint database can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man index dbc1586b..5c6f64e3 100644 --- a/extensions/libxt_set.man +++ b/extensions/libxt_set.man @@ -61,5 +61,5 @@ when the set was defined without counter support. The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does not clash with an option of other extensions. .PP -Use of -m set requires that ipset kernel support is provided, which, for +Use of \-m set requires that ipset kernel support is provided, which, for standard kernels, is the case since Linux 2.6.39. From patchwork Wed Dec 4 18:18:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204326 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCc6XzRzB3tH for ; Thu, 5 Dec 2019 05:18:20 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731113AbfLDSST (ORCPT ); Wed, 4 Dec 2019 13:18:19 -0500 Received: from mail-wm1-f67.google.com ([209.85.128.67]:53281 "EHLO mail-wm1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731293AbfLDSSS (ORCPT ); Wed, 4 Dec 2019 13:18:18 -0500 Received: by mail-wm1-f67.google.com with SMTP id n9so221878wmd.3 for ; Wed, 04 Dec 2019 10:18:17 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=4HDSGGuPesIPLvWhJswJE0fxMFFv2VfyytVgDyM0n6A=; b=Nuz003Yj/EWc3Ed11Et4+nAzglUoBNBzsMF4v/7i92RClNOnqoTOe8gADqd6BqerCO DyDCLe8wYxaCV+43jN5gpiQ1sNtuMF+GdgP8+2UKWbUa8kRLkdEJERu5kodzRYWCFzDg FiF0KF6cBqzUpL9sg+0jMQOzt+hbVAYNK7vFDqG3pUNQmSjYsyhYjmbCAoC2tO5LyuTb 1RHoDJRKocvuCkT96nN14AjWcSNDlg1WoXgZIZFQHiOsC41qSOv8t2/i9FWDvnurijoq uiGr5MZwy5BaweFS5ibx8hgBySsiEjUYuXzsy8WloNn4z6xkSPhVeROm3MccoT0GG0d8 P3Gg== X-Gm-Message-State: APjAAAXp8CYzGeWZ25P6p6Vi2WcZvnGP0N7INuCpl+fGumRtztjKhx2Z gdMmEL7W4jFqT4ODqLZAWsGYcX3SsEw= X-Google-Smtp-Source: APXvYqxQdOZGF6GREPZULEDiIYY+OqY40r3oFClmcdPJWTcFCyjGApjUoLzxDxaAhMWMFiqJuhyxPA== X-Received: by 2002:a1c:7c18:: with SMTP id x24mr1022092wmc.21.1575483496060; Wed, 04 Dec 2019 10:18:16 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id n3sm7933700wmc.27.2019.12.04.10.18.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:15 -0800 (PST) Subject: [iptables PATCH 4/7] libipq: fix spelling in manpage From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:14 +0100 Message-ID: <157548349453.125234.3389864626043056658.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane Fix spelling in this sentence. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- libipq/ipq_set_verdict.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libipq/ipq_set_verdict.3 b/libipq/ipq_set_verdict.3 index 7771ed6a..a6172b30 100644 --- a/libipq/ipq_set_verdict.3 +++ b/libipq/ipq_set_verdict.3 @@ -30,7 +30,7 @@ The .B ipq_set_verdict function issues a verdict on a packet previously obtained with .BR ipq_read , -specifing the intended disposition of the packet, and optionally +specifying the intended disposition of the packet, and optionally supplying a modified version of the payload data. .PP The From patchwork Wed Dec 4 18:18:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204327 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCl4yjBzB3tL for ; Thu, 5 Dec 2019 05:18:27 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731825AbfLDSSZ (ORCPT ); Wed, 4 Dec 2019 13:18:25 -0500 Received: from mail-wr1-f68.google.com ([209.85.221.68]:38439 "EHLO mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731347AbfLDSSY (ORCPT ); Wed, 4 Dec 2019 13:18:24 -0500 Received: by mail-wr1-f68.google.com with SMTP id y17so350072wrh.5 for ; Wed, 04 Dec 2019 10:18:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=ooQllG+NjTqw1czxs8zap/sgk/J2yMCcQ3dFqRs11sw=; b=RMEwGxtdhSEoPMRvKPcxb5tYRl82c3VD3QwyZCIvarxUu/iohWhnUkBWSP789rtZ2H ybXCt0vKyBLGZkMkZXGGRTEKJ/x/9m7BKD1uEkenBips3W9ZnIIM79Lf5A7YdutwBo8E yhOqxviOgv9aH2ZgdU6gEYY/StrGwbZalnzO+MdCK2whoAnmT7ibZlqE3Uoo5FUHAwRS 2TWc28FejfLHDTvvKQt8JZZuIXPndsRfFRMfun2Ghn3xkeDolbg9pMdsk1gkoKgslXil 1YhWSHKZ9BvPHuXt7z7AVjs2MdSCX1229p4KsldqJH4gsyasEMeFA3UVv3JJu7R8j38j xAlA== X-Gm-Message-State: APjAAAWUqH7Oha7qkcqWFMje9tmN3MYdvbU0bQAryHwfY90FUfXO5CJz 1QdRcZq23rQzB2mrbp2tO2rlXyR3v20= X-Google-Smtp-Source: APXvYqwEA214P/1hijEtzn8Gcka0oA1PjJTlO2AqByOmU1b7edA4bZBV1MOVn7JNc8LKxrPQIPt60w== X-Received: by 2002:adf:dc06:: with SMTP id t6mr5667312wri.378.1575483502788; Wed, 04 Dec 2019 10:18:22 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id l7sm5040783wmh.0.2019.12.04.10.18.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:22 -0800 (PST) Subject: [iptables PATCH 5/7] iptables: mention iptables-apply(8) in manpages From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:21 +0100 Message-ID: <157548350119.125234.9202118906807658929.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane Add iptables-apply(8) to the SEE ALSO section of *-save(8) and *-restore(8). Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- iptables/iptables-restore.8.in | 2 +- iptables/iptables-save.8.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in index f751492d..b4b62f92 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -87,7 +87,7 @@ from Rusty Russell. .br Andras Kis-Szabo contributed ip6tables-restore. .SH SEE ALSO -\fBiptables\-save\fP(8), \fBiptables\fP(8) +\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in index 29ef2829..7683fd37 100644 --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in @@ -62,7 +62,7 @@ Rusty Russell .br Andras Kis-Szabo contributed ip6tables-save. .SH SEE ALSO -\fBiptables\-restore\fP(8), \fBiptables\fP(8) +\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the From patchwork Wed Dec 4 18:18:28 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204328 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnCz2bGnzB3tS for ; Thu, 5 Dec 2019 05:18:37 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731786AbfLDSSe (ORCPT ); Wed, 4 Dec 2019 13:18:34 -0500 Received: from mail-wm1-f44.google.com ([209.85.128.44]:55755 "EHLO mail-wm1-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729752AbfLDSSb (ORCPT ); Wed, 4 Dec 2019 13:18:31 -0500 Received: by mail-wm1-f44.google.com with SMTP id q9so727603wmj.5 for ; Wed, 04 Dec 2019 10:18:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=v1dEB226tVUhDoUO1O/MaZNX6Bpfsc6ehL5Xf+wDiCg=; b=MYitOAA8+/jwFLaCSln2orJYiFkuKDOkzJC4FgbfWCxBogj5Ei995ws7ZAHaUrYEtk FL+NsKnwaXyB4bwdTYyhrhpM6eJVIo+gBIhWmlIS+CT6Qz63+22o8OYq5j2o6XsitWmu Nf0Sc4S7bktbygt985DlvjGk3d25LKjEVyVvAR+ENSWDVRy1UCLr9wyheWLByZ+Uy7HQ Kfu+VqUzPhFaCncg5LBPcwxD+ZI4izsr8YFcDnxE7IDwRmujdB4wsrwQ8PeEgMZf8nOf PfrAxZITDV9E9F2YAO/q3aPUlA+INleNc36vVI5glHwL9X073Lk/YnY2+v28SRSItL9k YDDg== X-Gm-Message-State: APjAAAUy/+n9VxgSqIpNJ/r7GyEigf3tG055Plc9zvqXpa3M1yhqCS5a EGSD6DqPl0xoUjYfiNH8J2TgXSk5NsI= X-Google-Smtp-Source: APXvYqywPh+8fU/Fs9Q93iOOeR1cUgRPul7cYF/7+l/GTmgRAGrXdJQPmGeImbHVZaqE+T7GRqVQ/w== X-Received: by 2002:a1c:6207:: with SMTP id w7mr972073wmb.16.1575483509666; Wed, 04 Dec 2019 10:18:29 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id i8sm9520307wro.47.2019.12.04.10.18.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:29 -0800 (PST) Subject: [iptables PATCH 6/7] extensions: libxt_sctp: add manpage description From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:28 +0100 Message-ID: <157548350795.125234.2883039836212323040.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Laurence J. Lane Add manpage description. Arturo says: This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- extensions/libxt_sctp.man | 1 + 1 file changed, 1 insertion(+) diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man index 9c0bd8c3..3779d05a 100644 --- a/extensions/libxt_sctp.man +++ b/extensions/libxt_sctp.man @@ -1,3 +1,4 @@ +This module matches Stream Control Transmission Protocol headers. .TP [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP] .TP From patchwork Wed Dec 4 18:18:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Arturo Borrero Gonzalez X-Patchwork-Id: 1204329 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=netfilter.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 47SnD138s5zB3tT for ; Thu, 5 Dec 2019 05:18:40 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731649AbfLDSSk (ORCPT ); Wed, 4 Dec 2019 13:18:40 -0500 Received: from mail-wr1-f52.google.com ([209.85.221.52]:46720 "EHLO mail-wr1-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731314AbfLDSSj (ORCPT ); Wed, 4 Dec 2019 13:18:39 -0500 Received: by mail-wr1-f52.google.com with SMTP id z7so282488wrl.13 for ; Wed, 04 Dec 2019 10:18:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=8DPOzz5BlVGHDK9kYbG8cus3R04Kq6AjeYfeBXM6tlA=; b=tD9VqKHLDwtZ77TO7uXA7wgvAEB016i/0Vgp4R5Ui9gFRsZFUTtC/D3tBkQr1unMhI ncL7IrpKJdo8nZW2j/OLJSjsy2hB3vc/jOBZ8pKetXVLvIxRdqWVtY4YqAqcjDah4lnm 32ATwiR78XFCzgF7cIg4zSMSfKFsLkmkWbFJCpqURKWsGzrqsPbXoJBHuJA2GJmatNqZ /IDC90Yr29gBb/cGEA+DsbNjagu19qr8XLvQH6BqiDRD76hR/HKkt65KNyNqwnDQh+IV N9tXdT+lZqRgxHQMft0mYJdFx4GK6BcV/PcQ4/Tbpu/qY9vlkOXt6mvC+9f0bSNhFFbH 5Viw== X-Gm-Message-State: APjAAAWY32QoGcKpzujJaVEfvHObHHYtMzLb8GJIbBSEBTYKBBsE2e1U lajKV3lfLjrM9pcu3U6WRPIpbv+eMQw= X-Google-Smtp-Source: APXvYqxgORc3vNOWMrZgX+KhXgTHduXL8FBCLj9zxr4TTKNdU8ZpJizbD14qI3RU5W7Euanfp4GdrQ== X-Received: by 2002:adf:ff84:: with SMTP id j4mr6077423wrr.27.1575483516489; Wed, 04 Dec 2019 10:18:36 -0800 (PST) Received: from localhost (static.68.138.194.213.ibercom.com. [213.194.138.68]) by smtp.gmail.com with ESMTPSA id y20sm7339794wmi.25.2019.12.04.10.18.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Dec 2019 10:18:35 -0800 (PST) Subject: [iptables PATCH 7/7] iptables-apply: script and manpage update From: Arturo Borrero Gonzalez To: netfilter-devel@vger.kernel.org Date: Wed, 04 Dec 2019 19:18:34 +0100 Message-ID: <157548351481.125234.6471420892849038650.stgit@endurance> In-Reply-To: <157548347377.125234.12163057581146113349.stgit@endurance> References: <157548347377.125234.12163057581146113349.stgit@endurance> User-Agent: StGit/0.19 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: GW This is GW's update to iptables-apply. It does a code cleanup and adds two options: one runs a command and the other writes the sucessful rules file. I modified the script to use mktemp instead of tempfile. I also fixed a couple of hyphens in the man page addition. Arturo says: I'm not a strong supporter of this script, but there are many users of it, so better do things right and add this patch that should produce no harm anyway. This patch is forwarded from the iptables Debian package, where it has been around for many years now. Signed-off-by: GW Signed-off-by: Laurence J. Lane Signed-off-by: Arturo Borrero Gonzalez --- iptables/iptables-apply | 302 +++++++++++++++++++++++++++++------------- iptables/iptables-apply.8.in | 46 ++++-- 2 files changed, 242 insertions(+), 106 deletions(-) diff --git a/iptables/iptables-apply b/iptables/iptables-apply index 819ca4a4..4683b1b4 100755 --- a/iptables/iptables-apply +++ b/iptables/iptables-apply @@ -1,174 +1,294 @@ #!/bin/bash -# # iptables-apply -- a safer way to update iptables remotely # -# Copyright © Martin F. Krafft +# Usage: +# iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} +# +# Versions: +# * 1.0 Copyright 2006 Martin F. Krafft +# Original version +# * 1.1 Copyright 2010 GW +# Added parameter -c (run command) +# Added parameter -w (save successfully applied rules to file) +# Major code cleanup +# # Released under the terms of the Artistic Licence 2.0 # set -eu -PROGNAME="${0##*/}"; -VERSION=1.0 +PROGNAME="${0##*/}" +VERSION=1.1 + + +### Default settings + +DEF_TIMEOUT=10 + +MODE=0 # apply rulesfile mode +# MODE=1 # run command mode + +case "$PROGNAME" in + (*6*) + SAVE=ip6tables-save + RESTORE=ip6tables-restore + DEF_RULESFILE="/etc/network/ip6tables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/ip6tables.up.run" + ;; + (*) + SAVE=iptables-save + RESTORE=iptables-restore + DEF_RULESFILE="/etc/network/iptables.up.rules" + DEF_SAVEFILE="$DEF_RULESFILE" + DEF_RUNCMD="/etc/network/iptables.up.run" + ;; +esac + -TIMEOUT=10 +### Functions -function blurb() -{ - cat <<-_eof +function blurb() { + cat <<-__EOF__ $PROGNAME $VERSION -- a safer way to update iptables remotely - _eof + __EOF__ } -function copyright() -{ - cat <<-_eof - $PROGNAME is C Martin F. Krafft . +function copyright() { + cat <<-__EOF__ + $PROGNAME has been published under the terms of the Artistic Licence 2.0. - The program has been published under the terms of the Artistic Licence 2.0 - _eof + Original version - Copyright 2006 Martin F. Krafft . + Version 1.1 - Copyright 2010 GW . + __EOF__ } -function about() -{ +function about() { blurb echo copyright } -function usage() -{ - cat <<-_eof - Usage: $PROGNAME [options] ruleset +function usage() { + blurb + echo + cat <<-__EOF__ + Usage: + $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} + + The script will try to apply a new rulesfile (as output by iptables-save, + read by iptables-restore) or run a command to configure iptables and then + prompt the user whether the changes are okay. If the new iptables rules cut + the existing connection, the user will not be able to answer affirmatively. + In this case, the script rolls back to the previous working iptables rules + after the timeout expires. + + Successfully applied rules can also be written to savefile and later used + to roll back to this state. This can be used to implement a store last good + configuration mechanism when experimenting with an iptables setup script: + $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD - The script will try to apply a new ruleset (as output by iptables-save/read - by iptables-restore) to iptables, then prompt the user whether the changes - are okay. If the new ruleset cut the existing connection, the user will not - be able to answer affirmatively. In this case, the script rolls back to the - previous ruleset. + When called as ip6tables-apply, the script will use ip6tables-save/-restore + and IPv6 default values instead. Default value for rulesfile is + '$DEF_RULESFILE'. + + Options: + + -t seconds, --timeout seconds + Specify the timeout in seconds (default: $DEF_TIMEOUT). + -w savefile, --write savefile + Specify the savefile where successfully applied rules will be written to + (default if empty string is given: $DEF_SAVEFILE). + -c runcmd, --command runcmd + Run command runcmd to configure iptables instead of applying a rulesfile + (default: $DEF_RUNCMD). + -h, --help + Display this help text. + -V, --version + Display version information. + + __EOF__ +} - The following options may be specified, using standard conventions: +function checkcommands() { + for cmd in "${COMMANDS[@]}"; do + if ! command -v "$cmd" >/dev/null; then + echo "Error: needed command not found: $cmd" >&2 + exit 127 + fi + done +} - -t | --timeout Specify the timeout in seconds (default: $TIMEOUT) - -V | --version Display version information - -h | --help Display this help text - _eof +function revertrules() { + echo -n "Reverting to old iptables rules... " + "$RESTORE" <"$TMPFILE" + echo "done." } -SHORTOPTS="t:Vh"; -LONGOPTS="timeout:,version,help"; + +### Parsing and checking parameters + +TIMEOUT="$DEF_TIMEOUT" +SAVEFILE="" + +SHORTOPTS="t:w:chV"; +LONGOPTS="timeout:,write:,command,help,version"; OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $? for opt in $OPTS; do case "$opt" in - (-*) unset OPT_STATE;; + (-*) + unset OPT_STATE + ;; (*) case "${OPT_STATE:-}" in - (SET_TIMEOUT) - eval TIMEOUT=$opt - case "$TIMEOUT" in - ([0-9]*) :;; - (*) - echo "E: non-numeric timeout value." >&2 - exit 1 - ;; - esac + (SET_TIMEOUT) eval TIMEOUT=$opt;; + (SET_SAVEFILE) + eval SAVEFILE=$opt + [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" ;; esac ;; esac case "$opt" in + (-t|--timeout) OPT_STATE="SET_TIMEOUT";; + (-w|--write) OPT_STATE="SET_SAVEFILE";; + (-c|--command) MODE=1;; (-h|--help) usage >&2; exit 0;; (-V|--version) about >&2; exit 0;; - (-t|--timeout) OPT_STATE=SET_TIMEOUT;; (--) break;; esac shift done -case "$PROGNAME" in - (*6*) - SAVE=ip6tables-save - RESTORE=ip6tables-restore - DEFAULT_FILE=/etc/network/ip6tables - ;; - (*) - SAVE=iptables-save - RESTORE=iptables-restore - DEFAULT_FILE=/etc/network/iptables - ;; -esac - -FILE="${1:-$DEFAULT_FILE}"; - -if [[ -z "$FILE" ]]; then - echo "E: missing file argument." >&2 +# Validate parameters +if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then + TIMEOUT=$(($TIMEOUT)) +else + echo "Error: timeout must be a positive number" >&2 exit 1 fi -if [[ ! -r "$FILE" ]]; then - echo "E: cannot read $FILE" >&2 - exit 2 +if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then + echo "Error: savefile not writable: $SAVEFILE" >&2 + exit 8 fi -COMMANDS=(tempfile "$SAVE" "$RESTORE") +case "$MODE" in + (1) + # Treat parameter as runcmd (run command mode) + RUNCMD="${1:-$DEF_RUNCMD}" + if [ ! -x "$RUNCMD" ]; then + echo "Error: runcmd not executable: $RUNCMD" >&2 + exit 6 + fi + + # Needed commands + COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD") + checkcommands + ;; + (*) + # Treat parameter as rulesfile (apply rulesfile mode) + RULESFILE="${1:-$DEF_RULESFILE}"; + if [ ! -r "$RULESFILE" ]; then + echo "Error: rulesfile not readable: $RULESFILE" >&2 + exit 2 + fi + + # Needed commands + COMMANDS=(mktemp "$SAVE" "$RESTORE") + checkcommands + ;; +esac -for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then - echo "E: command not found: $cmd" >&2 - exit 127 - fi -done -umask 0700 +### Begin work -TMPFILE=$(tempfile -p iptap) +# Store old iptables rules to temporary file +TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX` trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \ FPE USR1 SEGV USR2 PIPE ALRM TERM if ! "$SAVE" >"$TMPFILE"; then + # An error occured if ! grep -q ipt /proc/modules 2>/dev/null; then - echo "E: iptables support lacking from the kernel." >&2 + echo "Error: iptables support lacking from the kernel" >&2 exit 3 else - echo "E: unknown error saving current iptables ruleset." >&2 + echo "Error: unknown error saving old iptables rules: $TMPFILE" >&2 exit 4 fi fi +# Legacy to stop the fail2ban daemon if present [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop -echo -n "Applying new ruleset... " -if ! "$RESTORE" <"$FILE"; then - echo "failed." - echo "E: unknown error applying new iptables ruleset." >&2 - exit 5 -else - echo "done." -fi +# Configure iptables +case "$MODE" in + (1) + # Run command in background and kill it if it times out + echo -n "Running command '$RUNCMD'... " + "$RUNCMD" & + CMD_PID=$! + ( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) & + CMDTIMEOUT_PID=$! + if ! wait "$CMD_PID"; then + echo "failed." + echo "Error: unknown error running command: $RUNCMD" >&2 + revertrules + exit 7 + else + echo "done." + fi + ;; + (*) + # Apply iptables rulesfile + echo -n "Applying new iptables rules from '$RULESFILE'... " + if ! "$RESTORE" <"$RULESFILE"; then + echo "failed." + echo "Error: unknown error applying new iptables rules: $RULESFILE" >&2 + revertrules + exit 5 + else + echo "done." + fi + ;; +esac +# Prompt user for confirmation echo -n "Can you establish NEW connections to the machine? (y/N) " -read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || : +read -n1 -t "$TIMEOUT" ret 2>&1 || : case "${ret:-}" in (y*|Y*) + # Success echo + + if [ ! -z "$SAVEFILE" ]; then + # Write successfully applied rules to the savefile + echo "Writing successfully applied rules to '$SAVEFILE'..." + if ! "$SAVE" >"$SAVEFILE"; then + echo "Error: unknown error writing successfully applied rules: $SAVEFILE" >&2 + exit 9 + fi + fi + echo "... then my job is done. See you next time." ;; (*) - if [[ -z "${ret:-}" ]]; then - echo "apparently not..." + # Failed + echo + if [ -z "${ret:-}" ]; then + echo "Timeout! Something happened (or did not). Better play it safe..." else - echo + echo "No affirmative response! Better play it safe..." fi - echo "Timeout. Something happened (or did not). Better play it safe..." - echo -n "Reverting to old ruleset... " - "$RESTORE" <"$TMPFILE"; - echo "done." + revertrules exit 255 ;; esac +# Legacy to start the fail2ban daemon again [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start exit 0 diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in index cdc9c447..f0ed4e5f 100644 --- a/iptables/iptables-apply.8.in +++ b/iptables/iptables-apply.8.in @@ -1,6 +1,6 @@ .\" Title: iptables-apply -.\" Author: Martin F. Krafft -.\" Date: Jun 04, 2006 +.\" Author: Martin F. Krafft, GW +.\" Date: May 10, 2010 .\" .TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" .\" disable hyphenation @@ -8,23 +8,37 @@ .SH NAME iptables-apply \- a safer way to update iptables remotely .SH SYNOPSIS -\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP +\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP .SH "DESCRIPTION" .PP -iptables\-apply will try to apply a new ruleset (as output by -iptables\-save/read by iptables\-restore) to iptables, then prompt the -user whether the changes are okay. If the new ruleset cut the existing -connection, the user will not be able to answer affirmatively. In this -case, the script rolls back to the previous ruleset after the timeout -expired. The timeout can be set with \fB\-t\fP. +iptables\-apply will try to apply a new rulesfile (as output by +iptables-save, read by iptables-restore) or run a command to configure +iptables and then prompt the user whether the changes are okay. If the +new iptables rules cut the existing connection, the user will not be +able to answer affirmatively. In this case, the script rolls back to +the previous working iptables rules after the timeout expires. .PP -When called as \fBip6tables\-apply\fP, the script will use -ip6tables\-save/\-restore instead. +Successfully applied rules can also be written to savefile and later used +to roll back to this state. This can be used to implement a store last good +configuration mechanism when experimenting with an iptables setup script: +iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/iptables.up.run +.PP +When called as ip6tables\-apply, the script will use +ip6tables\-save/\-restore and IPv6 default values instead. Default +value for rulesfile is '/etc/network/iptables.up.rules'. .SH OPTIONS .TP \fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR -Sets the timeout after which the script will roll back to the previous -ruleset. +Sets the timeout in seconds after which the script will roll back +to the previous ruleset (default: 10). +.TP +\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR +Specify the savefile where successfully applied rules will be written to +(default if empty string is given: /etc/network/iptables.up.rules). +.TP +\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR +Run command runcmd to configure iptables instead of applying a rulesfile +(default: /etc/network/iptables.up.run). .TP \fB\-h\fP, \fB\-\-help\fP Display usage information. @@ -36,9 +50,11 @@ Display version information. \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8). .SH LEGALESE .PP -iptables\-apply is copyright by Martin F. Krafft. +Original iptables-apply - Copyright 2006 Martin F. Krafft . +Version 1.1 - Copyright 2010 GW . .PP -This manual page was written by Martin F. Krafft +This manual page was written by Martin F. Krafft and +extended by GW . .PP Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0.