| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/529954
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugs.debian.org/528457
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This fixes linking errors for 3rd-party C++ code.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a segfault that can be triggered if you use an
incorrect protocol, e.g.
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
Segmentation fault
With this patch:
# iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21
iptables v1.4.3.2: unknown protocol `lala' specified
Try `iptables -h' or 'iptables --help' for more information
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
This patch adds support for the cluster match to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Add support for persistent mappings (2.6.29-rc2+) as replacement for the
removed SAME target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
This patch bumps iptables version to 1.4.3.2
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Because the wrong flag was checked, the "!" was either wrongly
printed, or not printed at all.
This was broken since v1.4.0-29-ga8ad34c.
Reported-by: Steven Jan Springl <steven@springl.ukfsn.org>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Most other extensions use strtoul (by means of xtables_strtoui)
and would abide by the standard convention of hex/octal prefixes
0x/0, and decimal otherwise, but CLASSIFY is an exception.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch combines the two referenced ones by Peter. I did a quick
extra audit to spot and fix the missing ip6tables parts. (People like
to forget ip6tables it seems.) Extension modules were, to the best of
my knowledge, already audited in v1.4.3-rc1-10-gcea9f71.
Reported-by: Yar Odin <yarodin@gmail.com>
References: http://bugs.gentoo.org/264089
Reported-by: Peter Volkov <pva@gentoo.org>
References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2
References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
µClibc may not provide the in6addr_any variable when IPv6 is
disabled. So just provide it ourselves.
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
This patch complements the previous one.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This also skips building the IPv6 extensions. It does not #ifdef out
all code however, I think that would make it too ugly.
Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When the structure's layout changes, as it did between v1.4.1 and
v1.4.2, trying to compare the version string makes iptables segfault
while it tries to determine whether the module is compatible in the
first place.
By moving the member to a known offset in the struct and keeping it
there, objects (both iptables and 3rd party) compiled from this
commit onwards will avoid the segfault.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
iptables multi-purpose version: unknown applet name iptables-static
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
With this patch, iptables refers to dmesg for further
troubleshooting if we hit EINVAL.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|\ \
| |/
|/|
| | |
Connect history to the tag.
|
| |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| | |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The link of iptables-save fails on:
$ make LDFLAGS="-Wl,--as-needed"
[...]
extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check':
extensions/libxt_RATEEST.c:164: undefined reference to `log'
Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| | |
Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update
the constant in one place, and the compile error triggered only
when -DNO_SHARED_LIBS (configure --disable-shared) was in effect.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Add notes about my scalability work on the library libiptc.
This should make in more obvious who to complain to.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
Cleanup whitespaces while going through the code.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
iptc_insert_chain is too big to get inlined and so it generates
a warning while compiling.
Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.
2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.
*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.
Based upon a patch by Soren Hansen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Use explicit paragraph separator and conntrack(8).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.
This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.
% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a problem introduced in 37b4bde745698bf140d74e59a2561f34deeb8726
that leads to the wrong calculation of the pattern length in the
string match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix build failure of iptables utilities on debian/ubuntu, maybe other distros.
The values INT_MIN and INT_MAX are used by many filters and these
are defined in limits.h
---
patch against current iptables.git
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| | |
The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72
with a warning "next release". Next release is coming up, so enforce it.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
Thanks to Stephen Hemminger for noticing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
reqid and SPI can only have a value in the range 0..UINT32_MAX, not
the entire range of the "long" type. Also throw an error if the
incoming string does not look like a pure number.
"Replaces" commit 6db2ded2f22a7e78743c86af523b8430876582e9.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Most touched files do not use anything from ip_tables.h, so
remove that #include. multiport instead, does need it (ipt_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Most touched files do not use anything from ip6_tables.h, so
remove that #include. multiport instead, does need it (ip6t_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|