| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Kernel part will go in 2.6.21.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From Bugzilla #527:
if you have a kernel with say a '-g' in it, then KERNEL_DIR will include the
'-g' in it, CFLAGS will include the '-g' in it, and then the grep will think you
have -g in your CFLAGS
for example, if you use the grsec or gentoo patchset:
$ uname -r
2.6.19.1-grsec
$ uname -r
2.6.19-gentoo-r2
then your CFLAGS will look like:
-O2 -Wall -Wunused -I"/lib/modules/2.6.19.1-grsec/build"/include -Iinclude/
-DIPTABLES_VERSION=\"1.3.7\"
and the greedy check grep will incorrectly flag this:
egrep -e '-g|-pg|IPTC_DEBUG'
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
unnecessarily printing the address. Base on patch by Daniel De Graaf.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://bugs.debian.org/398082
iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the
information is lost somewhere with 1.3.6.
# cat /etc/networks
foonet 10.0.0.0
# strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j
ACCEPT #1.3.5 [1]
ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0
# strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j
ACCEPT #1.3.6 [2]
iptables v1.3.6: host/network `foonet.0.0.0' not found
Try `iptables -h' or 'iptables --help' for more information.
1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt
2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
|
| |
|
|
|
|
|
|
|
|
| |
Remove ununsed CHECK entry in commands_v_options.
It makes -E (rename) working again - generic_opt_check
expects options for RENAME not for CHECK at that table index.
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
default
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
66 and 67 is conflicted with IPv6 Advanced API in kernel <= 2.6.18.
|
| |
|
|
|
| |
- Add support port range match to libip6t_multiport
(R?mi Denis-Courmont <rdenis@simphalempin.com>)
|
| | |
|
| |
|
|
|
|
| |
<vapier@gentoo.org>)
Bugzilla #516
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
warning for basically every non-alphanumeric character.
|
| |
|
|
| |
Optionally read realm values from /etc/iproute2/rt_realms
|
| | |
|
| |
|
|
|
| |
This patch documents --or-mask and --and-mask options of the MARK
target. Description is directly taken from the source code.
|
| |
|
|
|
|
| |
(Andy Gay <andy@andynet.net>)
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=502
|
| | |
|
| |
|
|
| |
invalid arguments to get accepted.
|
| |
|
|
|
| |
Update multiport match to use the iptables version of proto_to_name
instead of reinventing the wheel.
|
| |
|
|
|
|
|
|
|
| |
Correcting a chain references increment bug in libiptc.
The bug lies in function iptc_delete_entry() / TC_DELETE_ENTRY. The
problem is the construction of "r" the rule entry, that is used for
comparison. The problem is that the function iptcc_map_target()
increase the target chains references count.
|
| |
|
|
|
| |
The below patch (dependent upon my 'reduce service_to_port duplication' patch)
centralizes the parse_*_port functions into parse_port.
|
| |
|
|
|
| |
The service_to_port function is used in a number of places, and could
benefit from some centralization instead of being duplicated everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As suggested by Dmitry Levin and included in Fedora Core releases,
use gcc instead of ld to link shared objects. Fedora rpm notes
refer to this fixing a plugin problem, but does not offer specifics.
But in any event, 'gcc -dumpspecs' does show gcc will pass a number
of parameters which in theory it thinks are better.
Compile tested both with and without NO_SHARED_LIBS.
Closes bug #454.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, a command such as
iptables -A foo -s 10.10/16
will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end
up with 10.0.0.0/16, which likely isn't what the user intended. Yet
some people do expect 10.10 (without the cidr notation) to end up as
10.0.0.10.
The below patch should satisfy all parties. It zero pads the missing
octets only in the cidr case, leaving the IP untouched otherwise.
This resolves bug #422
|
| |
|
|
| |
Remove "hoho" message :)
|
| |
|
|
|
| |
As reported by Dmitry Levin, the TC_NUM_RULES and TC_GET_RULE exports
clash. His patch below, resolving bug #456
|
| |
|
|
|
|
| |
- Don't allow multiple --icmp-type/icmpv6-type
(Closes: #461)
|
| |
|
|
|
|
|
|
|
|
| |
Update the manpage for ip6tables multiport match to reflect
reality -- it does not (yet) support x:y syntax. I looked at
adding it, but adding revision support to ip6tables seems a
waste at this point, since once xtables support is added to
iptables, this problem will resolve itself.
Closes bug #451.
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup a few compile warnings in latest snapshot:
extensions/libipt_dscp_helper.c:69: warning: 'dscp_to_name' defined but not used
extensions/libipt_sctp.c: In function 'print_chunks':
extensions/libipt_sctp.c:465: warning: value computed is not used
extensions/libipt_sctp.c:477: warning: value computed is not used
Resolves bug #457.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
As pointed out by Nicolas Mailhot in bugzilla #483, REDIRECT
does not accept an IP address and when supplied with one,
provides unexpected results. Patch below fixes this.
|
| |
|
|
| |
<hawk@comx.dk>)
|
| | |
|
| | |
|
| | |
|
