| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Note: xt_sctp.h is still not merged upstream in the kernel as of
this commit. But a refactoring was really needed.
|
| |
|
|
|
| |
- change "unsigned" to explicit "unsigned int"
- remove some casts
|
| | |
|
| |
|
|
|
| |
libxt_mark rev1 used AF_INET6 in the class structure where it should
have used AF_INET.
|
| |
|
|
|
|
|
|
| |
Adjust the _INIT macro and thus fix the build/linking procedure of
the monolithic do-it-all binary (iptables-static).
Also fix the Makefile since unfortunately, lib%.o does not seem to
have a higher precedence than %.o
|
| |
|
|
| |
Bugzilla #104
|
| |
|
|
|
|
|
| |
IP address validation logic was inverted, causing valid addresses to
be rejected.
Signed-off-by: James King <t.james.king@gmail.com>
|
| |
|
|
| |
Signed-off-by: Filippo Zangheri <filippo.zangheri@yahoo.it>
|
| | |
|
| |
|
|
|
|
|
| |
There are wrong chunk_type values in sctp table.
The chunk_type of ASCONF and ASCNF_ACK must be 193 and 128, respectively.
Naohiro Ooiwa <nooiwa@miraclelinux.com>
|
| | |
|
| | |
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
| |
Max Kellermann <max@duempel.org>
|
| |
|
|
|
|
| |
UID/GID range support for libxt_owner
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_conntrack match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_CONNMARK target revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
| |
A few build system changes.
* ip6tables needs IP6T_LIB_DIR
* correctly trigger rebuild of master manpages when
submanpages have been touched
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de.
|
| |
|
|
|
|
|
|
| |
Have the header files in the iptables source tree take precedence
over those from the kernel source. Otherwise, building the current
iptables from subversion just fails with kernels < 2.6.25.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| | |
|
| |
|
|
|
|
|
| |
Import libxt_TCPOPTSTRIP into iptables.
Signed-off-by: Sven Schnelle <svens@bitebene.org>
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_iprange revision 1
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_iprange to libxt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Introduce libxt_mark match revision 1 support.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add checks for libxt_hashlimit so that options cannot be passed twice
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
| |
Move a few functions from iptables.c/ip6tables.c to xtables.c
so they are available for combined (both AF_INET and AF_INET6)
libxt modules. Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_conntrack to libxt_conntrack.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
If the file exists but could not be loaded, print the dlerror().
Often it is a missing symbol.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_connmark match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Add support for xt_MARK target revision 2.
Also consolidate libip6t_MARK.man and libipt_MARK.man.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support
for xt_TOS target revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Move libipt_tos revision 0 to libxt_tos revision 0 and add support
for xt_tos match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the xt_owner match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
| |
Error messages vary wildly among modules, and there is a lot of
reundance in it too. Introduce a helper function that does all of
the parameter checking boilerplate and gives unique messages.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
back the 'end' pointer. It is useful where you want to do boundary
checking yet work with strings that are not entirely slurped by
strtoul(), e.g.:
s = "1/2"; /* one half */
if (!strtonum(s, &end, &value, 0, 5))
error("Zero-length string, or value out of bounds");
if (*end != '/')
error("Malformed string");
info->param1 = value;
if (!strtonum(end + 1, &end, &value, 2, 4))
error("..");
if (*end != '\0')
error("Malformed string");
info->param2 = value;
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Can build both static and dynamic at the same time
- iptables-static will be a multi-binary, semi-static
(link against libc but w/o dynamic plugins)
- Always build IPv6 modules
- consider INSTALL
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
| |
- check for malloc() return value in merge_opts()
- check for merge_opts() return value
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Solving scalability issue: for chain list "name" searching.
Functions: iptcc_find_label(), iptc_is_chain().
Testing if a chain exist, requires a linearly walk of linked list with
chain-names (doing a strcmp(3) in each step). Giving a worst-case
runtime of O(n) where n is the number of chains.
Why is this important to fix?! If only called once, this should not be
a big concern, even-though the string compares are expensive.
The performance issue arise with many chains for example; when using
"iptables-restore", or when listing all "iptables -nL" rules, or when
using CPAN IPTables::libiptc.
Having 50k chains, the rule listing, with the command:
"./iptables -nL > /dev/null",
Without patch it takes approximately 5 minutes,
With the patch it takes 0.5 seconds.
Listing without patch:
real 4m49.426s
user 4m37.993s
sys 0m0.280s
Listing with patch:
real 0m0.558s
user 0m0.484s
sys 0m0.064s
How is it solved?!
The issue is solved introducing a new data structure, that allow us to
do binary search of chain names. Thus, reducing the worst-case runtime
to O(log n).
Being more specific:
The new data structure is called "chain index", which is an array with
pointers into the chain list, with CHAIN_INDEX_BUCKET_LEN spacing.
This facilitates the ability to speedup chain list searching, by find
a more optimal starting points when searching the linked list.
The runtime complexity is actually also affected by this "bucket" size
concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
A nice property of the chain index, is that the "bucket" list
length is max CHAIN_INDEX_BUCKET_LEN (when just build, inserts will
change this). Oppose to hashing, where the "bucket" list length can
vary a lot.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
