Merge branch 'nft-compat'
This merges the branch that contains the iptables over nftables
compatibility layer into master.
diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man
new file mode 100644
index 0000000..25325fc
--- /dev/null
+++ b/extensions/libxt_SYNPROXY.man
@@ -0,0 +1,64 @@
+This target will process TCP three-way-handshake parallel in netfilter
+context to protect either local or backend system. This target requires
+connection tracking because sequence numbers need to be translated.
+.TP
+\fB\-\-mss\fP \fImaximum segment size\fP
+Maximum segment size announced to clients. This must match the backend.
+.TP
+\fB\-\-wscale\fP \fIwindow scale\fP
+Window scale announced to clients. This must match the backend.
+.TP
+\fB\-\-sack\-perm\fP
+Pass client selective acknowledgement option to backend (will be disabled
+if not present).
+.TP
+\fB\-\-timestamps\fP
+Pass client timestamp option to backend (will be disabled if not present,
+also needed for selective acknowledgement and window scaling).
+.PP
+Example:
+.PP
+Determine tcp options used by backend, from an external system
+.IP
+tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
+.br
+ port 80 &
+.br
+telnet 192.0.2.42 80
+.br
+18:57:24.693307 IP 192.0.2.42.80 > 192.0.2.43.48757:
+.br
+ Flags [S.], seq 360414582, ack 788841994, win 14480,
+.br
+ options [mss 1460,sackOK,
+.br
+ TS val 1409056151 ecr 9690221,
+.br
+ nop,wscale 9],
+.br
+ length 0
+.PP
+Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
+packets as state INVALID.
+.IP
+echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
+.PP
+Make SYN packets untracked
+.IP
+iptables \-t raw \-A PREROUTING \-i eth0 \-p tcp \-\-dport 80
+ \-\-syn \-j CT \-\-notrack
+.PP
+Catch UNTRACKED (SYN packets) and INVALID (3WHS ACK packets) states
+and send them to SYNPROXY. This rule will respond to SYN packets with
+SYN+ACK syncookies, create ESTABLISHED for valid client response (3WHS ACK
+packets) and drop incorrect cookies. Flags combinations not expected
+during 3WHS will not match and continue (e.g. SYN+FIN, SYN+ACK).
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80
+ \-m state \-\-state UNTRACKED,INVALID \-j SYNPROXY
+ \-\-sack\-perm \-\-timestamp \-\-mss 1460 \-\-wscale 9
+.PP
+Drop invalid packets, this will be out\-of\-flow packets that were not
+matched by SYNPROXY.
+.IP
+iptables \-A INPUT \-i eth0 \-p tcp \-\-dport 80 \-m state \-\-state INVALID \-j DROP
diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man
index 7012ef2..dbc1586 100644
--- a/extensions/libxt_set.man
+++ b/extensions/libxt_set.man
@@ -43,7 +43,7 @@
If the packet is matched an element in the set, match only if the
packet counter of the element is greater than the given value as well.
.TP
-[\fB!\fP] \fB\-bytes\-eq\fP \fIvalue\fP
+[\fB!\fP] \fB\-\-bytes\-eq\fP \fIvalue\fP
If the packet is matched an element in the set, match only if the
byte counter of the element matches the given value too.
.TP
diff --git a/iptables/iptables-xml.c b/iptables/iptables-xml.c
index 9628447..c7615ab 100644
--- a/iptables/iptables-xml.c
+++ b/iptables/iptables-xml.c
@@ -845,6 +845,11 @@
for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
+ if (!chain) {
+ fprintf(stderr, "%s: line %u failed - no chain found\n",
+ prog_name, line);
+ exit(1);
+ }
needChain(chain);// Should we explicitly look for -A
do_rule(pcnt, bcnt, newargc, newargv, newargvattr);
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 78e9abd..9b4c5aa 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -802,7 +802,7 @@
sizeof(cb->val.ethermac));
return;
out:
- xt_params->exit_err(PARAMETER_PROBLEM, "ether");
+ xt_params->exit_err(PARAMETER_PROBLEM, "Invalid MAC address specified.");
}
static void (*const xtopt_subparse[])(struct xt_option_call *) = {
