summaryrefslogtreecommitdiffstats
path: root/include
Commit message (Collapse)AuthorAgeFilesLines
* Introduces xtables match/target registration/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-246-276/+342
| | | | | | | | | | | | | | | | | | | | | | | - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo.
* Moves ip[6]tables_insmod() to xtables.c as xtables_insmod()/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-243-4/+3
|
* Moves common fw_malloc() and fw_calloc() to xtables.c/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-0/+3
|
* Adds xtables.[ch] and change Makefile to compile it/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-0/+4
|
* PATCH: Add connlimit to iptables./C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-07-091-0/+17
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Removes KERNEL_64_USERSPACE_32/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-06-304-75/+0
| | | | | | | The recent kernel has compat layer for iptables. It doesn't have compat layer for libipq and ip6tables, but ip6tables with KERNEL_64_USERSPACE_32 is still broken. We should fix kernel instead of fixing them if and when we want use their 32bit binary with 64bit kernel.
* Removes some KERNEL_64_USERSPACE_32 because linux 2.6 has compat layer/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-06-2810-50/+3
|
* Use nf_conntrack headers instead of ip_conntrack ones and add sanitized ↵/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-04-185-1/+297
| | | | versions.
* Fixes typos in the argument of ip[6]tables_insmod: quit -> quiet/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2007-03-202-4/+6
|
* Supress error message from modprobe on checking revision./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2007-03-132-4/+4
|
* Add ip6tables TCPMSS extension (Arnaud Ebalard <arno@natisbad.org>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2007-01-161-0/+10
| | | | Kernel part will go in 2.6.21.
* Add UDPLITE multiport support/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2007-01-112-0/+6
|
* [PATCH]: Fix /etc/network usage (Pablo Neira)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-11-291-0/+1
| | | | | | | | | | | | | | | | | | | | | | http://bugs.debian.org/398082 iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the information is lost somewhere with 1.3.6. # cat /etc/networks foonet 10.0.0.0 # strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.5 [1] ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0 # strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.6 [2] iptables v1.3.6: host/network `foonet.0.0.0' not found Try `iptables -h' or 'iptables --help' for more information. 1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt 2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
* load ip_[6]tables.ko just before checking revision support in kernel./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2006-11-132-0/+2
|
* changes IP6T_SO_GET_REVISION_{MATCH,TARGET} to 68,69/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2006-11-131-2/+2
| | | | 66 and 67 is conflicted with IPv6 Advanced API in kernel <= 2.6.18.
* - Add revision support to ip6tables./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2006-10-202-0/+45
| | | | | - Add support port range match to libip6t_multiport (R?mi Denis-Courmont <rdenis@simphalempin.com>)
* Add endian annotation types to fix compilation for kernels > 2.6.18/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-10-091-0/+5
|
* Revert "proto_to_name duplication" patch, as noticed by Yasuyuki it can cause/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-251-1/+0
| | | | invalid arguments to get accepted.
* [PATCH] proto_to_name duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-221-0/+1
| | | | | Update multiport match to use the iptables version of proto_to_name instead of reinventing the wheel.
* [PATCH] reduce parse_*_port duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-202-0/+2
| | | | | The below patch (dependent upon my 'reduce service_to_port duplication' patch) centralizes the parse_*_port functions into parse_port.
* [PATCH] reduce service_to_port duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-202-0/+2
| | | | | The service_to_port function is used in a number of places, and could benefit from some centralization instead of being duplicated everywhere.
* [PATCH] Use gcc to build shared objects (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-201-0/+2
| | | | | | | | | | | | As suggested by Dmitry Levin and included in Fedora Core releases, use gcc instead of ld to link shared objects. Fedora rpm notes refer to this fixing a plugin problem, but does not offer specifics. But in any event, 'gcc -dumpspecs' does show gcc will pass a number of parameters which in theory it thinks are better. Compile tested both with and without NO_SHARED_LIBS. Closes bug #454.
* [PATCH]: Add new exit value to indicate concurrency issues (Jesper Dangaard ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-06-191-1/+2
| | | | Brouer <hawk@comx.dk>)
* Add DCCP/SCTP support to multiport. Patch for kernel will go in 2.6.18./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-04-282-0/+10
|
* Multiple matches of the same type can be specified on the commandline./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org2006-03-032-0/+8
| | | | | | | | | | If two or more matches of the same type are detected then the options are assumed to be grouped in order to tell which option belongs to which match: ... -m foo ... <options0> ... -m foo ... <options1> ... Otherwise the commandline parsing is unmodified.
* make policy match compile independant of kernel headerssvn_t_iptables_1_3_5/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-02-011-0/+4
|
* fix ipt_conntrack compilation against very early (2.4.0) kernel releases/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-02-011-1/+1
|
* remove other bits of old ip pool code, people should use ipset ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-02-011-26/+0
| | | | (ipset.netfilter.org) these days
* Prepare policy match for x_tables unification by making sure both/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-01-312-0/+116
| | | | ipt_policy and ip6t_policy use the same data structure.
* Fix probing for supported revisions (Jones Desougi <jones@ingate.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2005-12-222-0/+2
| | | | Bugzilla #413
* Kernels higher than 2.6.10 don't support multiple --to arguments in/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-09-191-0/+9
| | | | | | | | | | | | | | | | | | | | | DNAT and SNAT targets. At present, the error is somewhat vague: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables: Invalid argument But if we want current iptables to work with kernels <= 2.6.10, we cannot simply disallow this in all cases. So the below patch adds kernel version checking to iptables, and utilizes it in [DS]NAT. Now, users will see a more informative error: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables v1.3.3: Multiple --to-source not supported This generic infrastructure (shamelessly lifted from procps btw) may come in handy in the future for other changes. This fixes bugzilla #367. (Phil Oester)
* Add the aligned_u64 typedef, it's defined in linux/types.h in the kernel./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=gandalf/emailAddress=gandalf@netfilter.org2005-09-111-0/+4
| | | | We can't include that header since it conflicts with sys/types.h
* add NFQUEUE support for ipv4 and ipv6/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-07-191-0/+16
|
* fix various missing header file / #define issues on old kernels. I've now ↵svn_t_iptables_1_3_2/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-07-102-16/+17
| | | | tested compilation with kernels starting 2.4.17
* we need to have this header file included, since old kernels don't define ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-07-101-0/+16
| | | | IP6T_LOG_UID.
* reduce code replication of parse_interface() (Yasuyuki Kozakai)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-06-222-0/+3
|
* omeone forgot to update ipt_conntrack.h header in user space. So, update it ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-04-101-1/+22
| | | | to use ip_conntrack_old_tuple. (Pablo Neira)
* This fixes rule deletion in CLUSTERIP in iptables (Pablo Neira)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-03-071-0/+37
|
* Fix CONNMARK/connmark issues with 64bit kernel and 32bit userspace./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=gandalf/emailAddress=gandalf@netfilter.org2005-02-122-0/+9
| | | | | | | Also fixes a typo in CONNMARK, --mask set the mark, not the mask. Initial patch by: Pablo Neira <pablo@eurodev.net> Signed-off-by: Martin Josefsson <gandalf@wlug.westbo.se>
* Add support for inversion to multiport revision 1./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=gandalf/emailAddress=gandalf@netfilter.org2005-02-021-0/+1
| | | | Signed-off-by: Phil Oester <kernel@linuxace.com>
* Pablo Neira:/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=rusty/emailAddress=rusty@netfilter.org2005-01-031-0/+28
| | | | Multiport revision 1 userspace support.
* Extension revision number support (if kernel supports the getsockopts)./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=rusty/emailAddress=rusty@netfilter.org2005-01-032-0/+33
| | | | | Enhance MARK match with second revision. Committed in anticipation of the kernel patch being applied.
* Fix setting lib_dir in ip*tables-{save,restore}/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=gandalf/emailAddress=gandalf@netfilter.org2004-12-273-0/+9
|
* move ipt_hashlimit to it's correct location/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2004-10-201-0/+0
|
* add hashlimit kernel header file/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2004-10-201-0/+40
|
* Add comment match extension (Brad Fisher)kaber2004-09-201-0/+10
|
* [PATCH] port physdev to ip6tables (Bart De Schuymer)kaber2004-09-121-0/+24
|
* Add ipt_addrtype.hkaber2004-06-281-0/+11
|
* add missing includelaforge2004-06-211-0/+39
|
* With a 64bit kernel only the high 32bits of nfmark was used regardless ofgandalf2004-05-264-0/+50
| | | | | | | 32/64bit userspace. This makes it quite hard to interoperate with 'tc'. Sync ipv6 versions with ipv4 versions. Tested on x86 and sparc64 with both 32bit and 64bit userspace.