summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix define value of SCTP chunk type.Naohiro Ooiwa2008-02-291-2/+2
| | | | | | | There are wrong chunk_type values in sctp table. The chunk_type of ASCONF and ASCNF_ACK must be 193 and 128, respectively. Naohiro Ooiwa <nooiwa@miraclelinux.com>
* Remove compiler.h inclusions.Patrick McHardy2008-02-223-4/+0
|
* Add netfilter.hPatrick McHardy2008-01-291-0/+48
|
* fix gcc warningsMax Kellermann2008-01-2984-118/+122
| | | | Max Kellermann <max@duempel.org>
* allow empty strings in argument parserMax Kellermann2008-01-292-14/+10
| | | | Max Kellermann <max@duempel.org>
* unescape parametersMax Kellermann2008-01-292-53/+56
| | | | Max Kellermann <max@duempel.org>
* escape stringsMax Kellermann2008-01-296-7/+57
| | | | Max Kellermann <max@duempel.org>
* use size_tMax Kellermann2008-01-292-5/+6
| | | | Max Kellermann <max@duempel.org>
* whitespace cleanupMax Kellermann2008-01-297-118/+118
| | | | Max Kellermann <max@duempel.org>
* Fix REDIRECT manpageMax Kellermann2008-01-291-2/+1
| | | | Max Kellermann <max@duempel.org>
* [IPTABLES]: libxt_owner: UID/GID range supportJan Engelhardt2008-01-292-23/+49
| | | | | | UID/GID range support for libxt_owner Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* [IPTABLES]: libxt_conntrack revision 1Jan Engelhardt2008-01-292-17/+576
| | | | | | Add support for xt_conntrack match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_CONNMARK revision 1Jan Engelhardt2008-01-293-20/+310
| | | | | | Add support for xt_CONNMARK target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Build adjustmentsJan Engelhardt2008-01-292-5/+5
| | | | | | | | | A few build system changes. * ip6tables needs IP6T_LIB_DIR * correctly trigger rebuild of master manpages when submanpages have been touched Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de.
* Give preference to iptables header filesJan Engelhardt2008-01-293-6/+10
| | | | | | | | Have the header files in the iptables source tree take precedence over those from the kernel source. Otherwise, building the current iptables from subversion just fails with kernels < 2.6.25. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Remove obsolete filePatrick McHardy2008-01-201-24/+0
|
* libxt_TCPOPTSTRIPSven Schnelle2008-01-203-0/+232
| | | | | | | Import libxt_TCPOPTSTRIP into iptables. Signed-off-by: Sven Schnelle <svens@bitebene.org> Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_iprange r1Jan Engelhardt2008-01-201-1/+222
| | | | | | Add support for xt_iprange revision 1 Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_iprange r0Jan Engelhardt2008-01-205-56/+66
| | | | | | Move libipt_iprange to libxt_iprange. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_mark r1Jan Engelhardt2008-01-202-29/+118
| | | | | | Introduce libxt_mark match revision 1 support. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_hashlimit checksJan Engelhardt2008-01-201-0/+17
| | | | | | Add checks for libxt_hashlimit so that options cannot be passed twice Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* rename overlapping function namesJan Engelhardt2008-01-2013-379/+356
| | | | | | Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* bunch o' renamesJan Engelhardt2008-01-2011-179/+190
| | | | | | | | Move a few functions from iptables.c/ip6tables.c to xtables.c so they are available for combined (both AF_INET and AF_INET6) libxt modules. Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_conntrack r0Jan Engelhardt2008-01-205-240/+271
| | | | | | Move libipt_conntrack to libxt_conntrack. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* print warning when dlopen failsJan Engelhardt2008-01-201-0/+14
| | | | | | | If the file exists but could not be loaded, print the dlerror(). Often it is a missing symbol. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_connmark r1Jan Engelhardt2008-01-203-36/+124
| | | | | | Add support for xt_connmark match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_MARK r2Jan Engelhardt2008-01-205-19/+177
| | | | | | | Add support for xt_MARK target revision 2. Also consolidate libip6t_MARK.man and libipt_MARK.man. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_TOSJan Engelhardt2008-01-205-170/+289
| | | | | | | Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support for xt_TOS target revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_tosJan Engelhardt2008-01-206-172/+298
| | | | | | | Move libipt_tos revision 0 to libxt_tos revision 0 and add support for xt_tos match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* libxt_ownerJan Engelhardt2008-01-207-532/+606
| | | | | | | libxt_owner merges libipt_owner and libip6t_owner, and adds support for the xt_owner match revision 1. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* common error messagesJan Engelhardt2008-01-202-1/+55
| | | | | | | | Error messages vary wildly among modules, and there is a lot of reundance in it too. Introduce a helper function that does all of the parameter checking boilerplate and gives unique messages. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Introduce strtonum(), which works like string_to_number(), but passesJan Engelhardt2008-01-202-0/+49
| | | | | | | | | | | | | | | | | | | | back the 'end' pointer. It is useful where you want to do boundary checking yet work with strings that are not entirely slurped by strtoul(), e.g.: s = "1/2"; /* one half */ if (!strtonum(s, &end, &value, 0, 5)) error("Zero-length string, or value out of bounds"); if (*end != '/') error("Malformed string"); info->param1 = value; if (!strtonum(end + 1, &end, &value, 2, 4)) error(".."); if (*end != '\0') error("Malformed string"); info->param2 = value; Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* Converts the iptables build infrastructure to autotools.Jan Engelhardt2008-01-2017-709/+416
| | | | | | | | | | | | | - Can build both static and dynamic at the same time - iptables-static will be a multi-binary, semi-static (link against libc but w/o dynamic plugins) - Always build IPv6 modules - consider INSTALL Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* - cleanup several code wraparoundsPablo Neira Ayuso2008-01-171-4/+21
| | | | | - check for malloc() return value in merge_opts() - check for merge_opts() return value
* Add rateest match extensionPatrick McHardy2008-01-153-1/+495
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add RATEEST target extensionPatrick McHardy2008-01-154-3/+254
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Solving scalability issue: for chain list "name" searching.Jesper Dangaard Brouer2008-01-151-4/+414
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Solving scalability issue: for chain list "name" searching. Functions: iptcc_find_label(), iptc_is_chain(). Testing if a chain exist, requires a linearly walk of linked list with chain-names (doing a strcmp(3) in each step). Giving a worst-case runtime of O(n) where n is the number of chains. Why is this important to fix?! If only called once, this should not be a big concern, even-though the string compares are expensive. The performance issue arise with many chains for example; when using "iptables-restore", or when listing all "iptables -nL" rules, or when using CPAN IPTables::libiptc. Having 50k chains, the rule listing, with the command: "./iptables -nL > /dev/null", Without patch it takes approximately 5 minutes, With the patch it takes 0.5 seconds. Listing without patch: real 4m49.426s user 4m37.993s sys 0m0.280s Listing with patch: real 0m0.558s user 0m0.484s sys 0m0.064s How is it solved?! The issue is solved introducing a new data structure, that allow us to do binary search of chain names. Thus, reducing the worst-case runtime to O(log n). Being more specific: The new data structure is called "chain index", which is an array with pointers into the chain list, with CHAIN_INDEX_BUCKET_LEN spacing. This facilitates the ability to speedup chain list searching, by find a more optimal starting points when searching the linked list. The runtime complexity is actually also affected by this "bucket" size concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN. A nice property of the chain index, is that the "bucket" list length is max CHAIN_INDEX_BUCKET_LEN (when just build, inserts will change this). Oppose to hashing, where the "bucket" list length can vary a lot. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
* Introduce a counter for number of user defined chains.Jesper Dangaard Brouer2008-01-151-1/+7
| | | | | | Introduce a counter for number of user defined chains. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
* Inline functions iptcc_is_builtin() and set_changed().Jesper Dangaard Brouer2008-01-151-2/+2
| | | | | | | The two functions are obvious candidates for inlining. Using gprof(1) shows that they actually affects performance. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
* Fix CONNMARK mask initialisationPeter Warasin2008-01-151-2/+10
| | | | | | | | | | This patch fixes the problem that the CONNMARK mask value has been set to 0 whenever the CONNMARK target options were not the last options to be processed. It initalizes the mask value rather than setting it for each parse. Signed-off-by: Peter Warasin <peter@endian.com>
* bump version from 1.4.0rc1 to 1.4.0 finalv1.4.0Pablo Neira Ayuso2007-12-221-2/+2
|
* iptables and NO_SHARED_LIBS/dlfcn.hMike Frysinger2007-12-193-3/+12
| | | | | | | | if NO_SHARED_LIBS is defined, then iptables shouldnt even include dlfcn.h. otherwise you hit a build failure when using toolchains that do not provide dlfcn.h because they do not support shared objects. Signed-Off-By: Mike Frysinger <vapier@gentoo.org>
* use <linux/types.h>Jan Engelhardt2007-12-173-5/+3
| | | | | | | | Remove our own definitions of the Linux types and use <linux/types.h> instead. libiptc needs it too, or otherwise will choke on union nf_inet_addr. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* More safe chain sorting, improving r7098Jesper Dangaard Brouer2007-12-121-1/+17
| | | | | | | | | | | | | | | | | This patch is an improvment of r7098 (made by me). Assuring compatibility between 1.4.0 and older versions, regarding chain sorting. Chains from kernel are already sorted, as they are inserted sorted. But there exists an issue when shifting to 1.4.0 from an older version, as old versions allow last created chain to be unsorted. This unsorted chain would survive in 1.4.0, as chains are now only sorted on creation. This patch verifies that chains are sorted, if not it fixes the sorting. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
* Fix sockfd use accounting for kernels without autoloadingPatrick McHardy2007-12-041-4/+0
|
* Fix showing help text for matches/targets with revision as userPatrick McHardy2007-12-031-0/+9
| | | | | | | When running as a user iptables can't determine the highest supported revision and exits. Assume all revision are supported in case we get a EPERM. If the user is not showing the help text but trying to add new rules he'll get EPERM later anyway.
* Unifies libip[6]t_SECMARK.man to libxt_SECMARK.manYasuyuki KOZAKAI2007-11-292-7/+0
|
* Unifies libip[6]t_CONNSECMARK.man to libxt_CONNSECMARK.manYasuyuki KOZAKAI2007-11-292-15/+0
|
* Fixes missing '6' and 'X' in definitions of selinux related extension lists.Yasuyuki KOZAKAI2007-11-291-2/+2
|
* Remove libip6t_state.c. libxt_state.c supports IPv6.Yasuyuki KOZAKAI2007-11-291-156/+0
|