| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
--limit-iface-out Match only on the packet's incoming device
Note that it says "incoming" when it should say "outcoming"
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
iptables -P INPUT
iptables v1.4.15: -X requires a chain and a policy
Try `iptables -h' or 'iptables --help' for more information.
Note that it says -X when we have used -P.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
tcp dpt:10flags: 0x17/0x02
^^
Signed-off-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no --fragid option is given, the frag extension only matches
fragments with a zero-valued "Identification" field. This behavior
deviates from what other extensions do (they match all values in this
case) and is unexpected, and therefore changed by this patch.
Additionally, --fragid 0:4294967295 leads to no output on `iptables
-S` because part of the code thinks that this would be the default,
when it is not.
So, default to match all frag values, such that iptables -S not
outputting anything also becomes correct.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes compilation of libipq with headers from Linux
kernel 3.5:
In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).
Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| | |
This patch moves the parameter parsing to one function to reduce
one level of indentation. Jan Engelhardt likes this.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes compilation of libipq with headers from Linux
kernel 3.5:
In file included from libipq.c:34:0:
../include/libipq/libipq.h:33:43: fatal error: linux/netfilter_ipv4/ip_queue.h: No such file or directory
ip_queue is gone since Linux kernel 3.5. However, you can still use
new iptables versions with old Linux kernels. We have to keep libipq
in this tree for a while (1.5-2 years should be OK).
Reported-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It was possible to specify -A mychain -m hashlimit --hashlimit
600059/minute; this would convert to r->avg=0, which subsequently
causes a division by zero when printing with -S mychain.
1. Avoid division by zero in print_rate by printing infinity
instead.
2. Rewrite the test in parse_rate to properly reject too high rates.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| | |
More corrections of the strtoul kind.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| |
| | |
This is a small cleanup, reducing the two copies of X/Y parsing to
one.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Using only strtoul is prone to accept all values, including negative
ones which are not explicitly allowed. Therefore, use xtables_strtoui
with bounds checking.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
| |
| |
| |
| |
| |
| | |
Cherry-picked these from recent patches from Mr Dash Four.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
|
|/
|
|
|
|
|
| |
save-restore syntax uses *table, not -t table.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This new option will be available in the Linux kernel 3.5
[ Pablo fixed coding-style issues and cleaned up this. Added
manpages as well ]
Signed-off-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes parameter parsing in iptables-restore since time ago. The
problem has shown up with gcc-4.7. This version of gcc seem to perform more
agressive memory management than previous.
Peter Lekensteyn provided the following sample code similar to the one
in iptables-restore:
int i = 0;
for (;;) {
char x[5];
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Many may expect 0123 as output. But GCC 4.7 does not do that when compiling
with optimization enabled (-O1 and higher). It instead puts random data in the
first bytes of the character array, which becomes:
| 0 | 1 | 2 | 3 | 4 |
| RANDOM | '3' | '\0' |
Since the array is declared inside the scope of loop's body, you can think of
it as of a new array being allocated in the automatic storage area for each
loop iteration.
The correct code should be:
char x[5];
for (;;) {
x[i] = '0' + i;
if (++i == 4) {
x[i] = '\0'; /* terminate string with null byte */
printf("%s\n", x);
break;
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This reverts commit 44191bdbd71e685fba9eab864b9df25e63905220.
Apply instead a patch that really clarifies the bug in iptables-restore.
This should be good for the record (specifically, for distributors so
they can find the fix by googling).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch seems to be a mere cleanup that moves the parameter parsing
code to add_param_to_argv.
But, in reality, it also fixes iptables when compiled with gcc-4.7.
Moving param_buffer declaration out of the loop seems to resolve the
issue. gcc-4.7 seems to be generating bad code regarding param_buffer.
@@ -380,9 +380,9 @@
quote_open = 0;
escaped = 0;
param_len = 0;
+ char param_buffer[1024];
for (curchar = parsestart; *curchar; curchar++) {
- char param_buffer[1024];
if (quote_open) {
if (escaped) {
But I have hard time to apply this patch in such a way. Instead, I came
up with the idea of this cleanup, which does not harm after all (and fixes
the issue for us).
Someone in:
https://bugzilla.redhat.com/show_bug.cgi?id=82579
put some light on this:
"Yes, I ran into this too. The issue is that the gcc optimizer is
optimizing out the code that collects quoted strings in
iptables-restore.c at line 396. If inside a quotemark and it hasn't
seen another one yet, it executes
param_buffer[param_len++] = *curchar;
continue;
At -O1 or higher, the write to param_buffer[] never happens. It just
increments param_len and continues.
Moving the definition of char param_buffer[1024]; outside the loop
fixes it. Why, I'm not sure. Defining the param_buffer[] inside the
loop should simply restrict its scope to inside the loop."
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix typo in --hmark-rnd description.
* Remove trailing -set from port and spi options.
* Take missing value for ports and spi from command line.
* Fix spi / port validation.
* Remove --hmark-offset as mandatory.
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
... -j HMARK --hmark-tuple ct,src,dst --hmark-offset 10000 ...
Note `ct' requires also the tuples.
Reported-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Fix accidental swap of [s|d]port-mask and [s|d]port-port.
Use xtables_ipmask_to_cidr instead of xtables_ipmask_to_numeric.
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allows --hashlimit-(upto|above) Xb/s [ --hashlimit-burst Yb ]
to make hashlimit match when X bytes/second are exceeded;
optionally, Y bytes will not be matched (i.e. bursted).
[ Pablo fixed minor compilation warning in this patch with gcc-4.6 and x86_64 ]
libxt_hashlimit.c: In function ‘parse_bytes’:
libxt_hashlimit.c:216:6: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘uint64_t’ [-Wformat]
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
The info variable is assigned but never read in recent_check().
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The target allows you to set mark packets based Jenkins' hash calculation:
h(t, rnd) = x
mark = (x % mod) + offset
where:
* t is a tuple that is used for the hashing:
t = [ src, dst, proto, sport, dport ]
Note that you can customize the tuple, thus, removing some component
that you don't want to use for the calculation. You can also use spi
instead of sport and dport, btw.
* rnd is the random seed that is explicitly passed via --hmark-rnd
* mod is the modulus, to determine the range of possible marks
* offset determines where the mark starts from
This target only works for the "raw" and "mangle" tables.
This can be used to distribute flows between a cluster of
systems and uplinks.
Initially based on work from Hans Schillingstrom. Pablo took it
over and introduced several improvements.
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds generic functions to return the mask in CIDR
notation whenever is possible.
This patch also simplifies xtables_ip[6]mask_to_numeric, that
now use these new two functions.
This patch also bumps libxtables_vcurrent and libxtables_vage
since we added a couple new interfaces (thanks to Jan Engelhardt
for his little reminder on this).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
also, -p mobility gets us EINVAL from kernel, use -p ipv6-mh instead.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipt-restore fails to parse the ipt-save output:
zmatches -m rateest --rateest RE1 --rateest-pps --rateest-lt 5
(should be "--rateest-pps 5 --rateest-lt"). Also, the "delta" option
was never shown in -save output, but twice in some cases when using
"iptables -L".
Also, the "b/pps1" option must be shown when "delta" option is used with
relative mode.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Else, argv[argc] may point to free'd memory.
Some extensions, e.g. rateest, may fail to parse valid input
because argv[optind] (with optind == argc) is not NULL.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
In 1f2474a libipt_ULOG: use guided option parser.
A bug has been accidentally introduced in --ulog-cprange, limiting
possible values from 1 to 50. However, that limit should be applied
to --ulog-qthreshold.
Reported-by: Gaurav Sinha <vgsinha@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
There is an issue on TC_INIT retry path:
In error case, TC_FREE is called and close sockfd.
The retry does not reopen then always fail.
The proposing patch reopens sockfd in retry patch.
Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the --timeout option to allow to attach timeout
policy objects to flows, eg.
iptables -I PREROUTING -t raw -s 1.1.1.1 -p tcp \
-j CT --timeout custom-tcp-policy
You need the nfct(8) tool which is available at:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=nfct.git
To define the cttimeout policies.
Example of usage:
nfct timeout add custom-tcp-policy inet tcp established 1000
The new nfct tool also requires libnetfilter_cttimeout:
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_cttimeout.git
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides the user-space iptables support for the nfacct match.
This can be used as it follows:
nfacct add http-traffic
iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic
nfacct get http-traffic
See also man nfacct(8) for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
By default, Unix-like systems leak file descriptors after fork/exec
call. I think this seem to result in SELinux spotting a strange AVC
log messages according to what I can find on the web.
Fedora 18 iptables source includes this change.
Maciej says:
"iptables does potentially fork/exec modprobe to load modules.
That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing.
You can do automated inspection of what gets carried across such
privilege changes and any unexpected open file descriptors flag
problems, patches like this cut down on the noise."
Signed-off-by: Maciej enczykowski <maze@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fixed a memory leak in the dry run path of function delete_entry().
Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Fixed a memory leak in the error path of function cache_add_entry().
Signed-off-by: Franz Flasch <franz.flasch@frequentis.com>
Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c.
This is breaking my iptables scripts:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables: Incompatible with this kernel.
|
|
|
|
| |
Jan Engelhardt showed no objections to this patch.
|
|
|
|
|
|
|
| |
Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Have each extension link against libxtables.so; with this, all home
symbols are known at link time and we can use ld's --no-undefined to
run the check, dropping the homebrew solution.
By having libxtables.so required by extensions, package managers'
automatic dependency discovery will become effective so that manual
dependencies for distros with split extension packages (e.g. OpenWRT)
will not be necessary anymore.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Split off extensions/.gitignore.
|
| | |
|