Merge branch 'stable' of git://dev.medozas.de/iptables
diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
index 675fc5e..dbab918 100644
--- a/extensions/libxt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -29,10 +29,9 @@
.PD
Workaround: activate this option and add a rule to your firewall
configuration like:
-.nf
- iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN \\
+.IP
+ iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
\-j TCPMSS \-\-clamp\-mss\-to\-pmtu
-.fi
.TP
\fB\-\-set\-mss\fP \fIvalue\fP
Explicitly set MSS option to specified value.
diff --git a/extensions/libxt_TPROXY.man b/extensions/libxt_TPROXY.man
index c087ebf..0129f84 100644
--- a/extensions/libxt_TPROXY.man
+++ b/extensions/libxt_TPROXY.man
@@ -13,7 +13,7 @@
\fB\-\-on\-ip\fP \fIaddress\fP
This specifies a destination address to use. By default the address is the IP
address of the incoming interface. This is only valid if the rule also
-specifies \fB\-p tcp\fP or \fP\-p udp\fP.
+specifies \fB\-p tcp\fP or \fB\-p udp\fP.
.TP
\fB\-\-tproxy\-mark\fP \fIvalue\fP[\fB/\fP\fImask\fP]
Marks packets with the given value/mask. The fwmark value set here can be used
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
index 6081be1..62ad71c 100644
--- a/extensions/libxt_cluster.man
+++ b/extensions/libxt_cluster.man
@@ -4,35 +4,35 @@
This match requires that all the nodes see the same packets. Thus, the cluster
match decides if this node has to handle a packet given the following options:
.TP
-\fB\-\-cluster\-total\-nodes \fInum\fP
+\fB\-\-cluster\-total\-nodes\fP \fInum\fP
Set number of total nodes in cluster.
.TP
-[\fB!\fP] \fB\-\-cluster\-local\-node \fInum\fP
+[\fB!\fP] \fB\-\-cluster\-local\-node\fP \fInum\fP
Set the local node number ID.
.TP
-[\fB!\fP] \fB\-\-cluster\-local\-nodemask \fImask\fP
+[\fB!\fP] \fB\-\-cluster\-local\-nodemask\fP \fImask\fP
Set the local node number ID mask. You can use this option instead
-of \fB\-\-cluster\-local\-node.
+of \fB\-\-cluster\-local\-node\fP.
.TP
-\fB\-\-cluster\-hash\-seed \fIvalue\fP
+\fB\-\-cluster\-hash\-seed\fP \fIvalue\fP
Set seed value of the Jenkins hash.
.PP
Example:
.IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
\-j MARK \-\-set-mark 0xffff
.IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster \
-\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1 \
-\-\-cluster\-hash\-seed 0xdeadbeef \
+iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
+\-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
+\-\-cluster\-hash\-seed 0xdeadbeef
\-j MARK -\-set\-mark 0xffff
.IP
-iptables \-A PREROUTING \-t mangle \-i eth1 \
+iptables \-A PREROUTING \-t mangle \-i eth1
\-m mark ! \-\-mark 0xffff \-j DROP
.IP
-iptables \-A PREROUTING \-t mangle \-i eth2 \
+iptables \-A PREROUTING \-t mangle \-i eth2
\-m mark ! \-\-mark 0xffff \-j DROP
.PP
And the following commands to make all nodes see the same packets:
@@ -41,18 +41,18 @@
.IP
ip maddr add 01:00:5e:00:01:02 dev eth2
.IP
-arptables \-A OUTPUT \-o eth1 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
.IP
-arptables \-A INPUT \-i eth1 \-\-h-length 6 \
-\-\-destination-mac 01:00:5e:00:01:01 \
+arptables \-A INPUT \-i eth1 \-\-h-length 6
+\-\-destination-mac 01:00:5e:00:01:01
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.IP
-arptables \-A OUTPUT \-o eth2 \-\-h\-length 6 \
+arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:02
.IP
-arptables \-A INPUT \-i eth2 \-\-h\-length 6 \
-\-\-destination\-mac 01:00:5e:00:01:02 \
+arptables \-A INPUT \-i eth2 \-\-h\-length 6
+\-\-destination\-mac 01:00:5e:00:01:02
\-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
.PP
In the case of TCP connections, pickup facility has to be disabled
diff --git a/extensions/libxt_connlimit.c b/extensions/libxt_connlimit.c
index f001a2e..403e7e6 100644
--- a/extensions/libxt_connlimit.c
+++ b/extensions/libxt_connlimit.c
@@ -26,7 +26,9 @@
static void connlimit_init(struct xt_entry_match *match)
{
struct xt_connlimit_info *info = (void *)match->data;
- info->v4_mask = 0xFFFFFFFFUL;
+
+ /* This will also initialize the v4 mask correctly */
+ memset(info->v6_mask, 0xFF, sizeof(info->v6_mask));
}
static void prefix_to_netmask(u_int32_t *mask, unsigned int prefix_len)
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index eb0832a..c85d768 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -21,7 +21,7 @@
iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
\-\-connlimit\-mask 24 \-j REJECT
.TP
-# limit the number of parallel HTTP requests to 16 for the link local network \
+# limit the number of parallel HTTP requests to 16 for the link local network
(ipv6)
ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
16 \-\-connlimit\-mask 64 \-j REJECT
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man
index e03d8ec..9d5a64e 100644
--- a/extensions/libxt_recent.man
+++ b/extensions/libxt_recent.man
@@ -33,12 +33,12 @@
that address will be removed from the list and the rule will return true. If
the address is not found, false is returned.
.TP
-[\fB!\fR] \fB\-\-seconds \fIseconds\fP
+[\fB!\fR] \fB\-\-seconds\fP \fIseconds\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and was seen within the last given number of seconds.
.TP
-[\fB!\fR] \fB\-\-hitcount \fIhits\fP
+[\fB!\fR] \fB\-\-hitcount\fP \fIhits\fP
This option must be used in conjunction with one of \fB\-\-rcheck\fP or
\fB\-\-update\fP. When used, this will narrow the match to only happen when the
address is in the list and packets had been received greater than or equal to
diff --git a/extensions/libxt_tcp.man b/extensions/libxt_tcp.man
index 8f39cdb..7a16118 100644
--- a/extensions/libxt_tcp.man
+++ b/extensions/libxt_tcp.man
@@ -4,15 +4,15 @@
[\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
Source port or port range specification. This can either be a service
name or a port number. An inclusive range can also be specified,
-using the format \fIport\fP\fB:\fP\fIport\fP.
+using the format \fIfirst\fP\fB:\fP\fIlast\fP.
If the first port is omitted, "0" is assumed; if the last is omitted,
"65535" is assumed.
-If the second port is greater than the first they will be swapped.
+If the first port is greater than the second one they will be swapped.
The flag
\fB\-\-sport\fP
is a convenient alias for this option.
.TP
-[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB,\fP\fIport\fP]
+[\fB!\fP] \fB\-\-destination\-port\fP,\fB\-\-dport\fP \fIport\fP[\fB:\fP\fIport\fP]
Destination port or port range specification. The flag
\fB\-\-dport\fP
is a convenient alias for this option.
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 1d5efea..06a82ae 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -454,5 +454,7 @@
exit(1);
}
+ if (in != NULL)
+ fclose(in);
return 0;
}
diff --git a/ip6tables-save.c b/ip6tables-save.c
index 97205c1..c59608f 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -54,6 +54,7 @@
ret &= func(tablename);
}
+ fclose(procfile);
return ret;
}
diff --git a/iptables-restore.c b/iptables-restore.c
index 2a797cc..5108fda 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -459,5 +459,7 @@
exit(1);
}
+ if (in != NULL)
+ fclose(in);
return 0;
}
diff --git a/iptables-save.c b/iptables-save.c
index 6000b49..f63ee6b 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -52,6 +52,7 @@
ret &= func(tablename);
}
+ fclose(procfile);
return ret;
}
diff --git a/iptables-xml.c b/iptables-xml.c
index e5d1941..daf4208 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -870,6 +870,8 @@
exit(1);
}
+ if (in != NULL)
+ fclose(in);
printf("</iptables-rules>\n");
free_argv();