summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build: bump version to 1.4.3.2v1.4.3.2Pablo Neira Ayuso2009-04-061-1/+1
| | | | | | This patch bumps iptables version to 1.4.3.2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_conntrack: properly output negation symbolJan Engelhardt2009-04-051-4/+4
| | | | | | | | | Because the wrong flag was checked, the "!" was either wrongly printed, or not printed at all. This was broken since v1.4.0-29-ga8ad34c. Reported-by: Steven Jan Springl <steven@springl.ukfsn.org> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* CLASSIFY: document non-standard interpretation behaviorJan Engelhardt2009-04-042-2/+3
| | | | | | | | Most other extensions use strtoul (by means of xtables_strtoui) and would abide by the standard convention of hex/octal prefixes 0x/0, and decimal otherwise, but CLASSIFY is an exception. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'plus'Jan Engelhardt2009-04-0412-35/+75
|\
| * iptables: print negation extrapositionedJan Engelhardt2009-04-042-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch combines the two referenced ones by Peter. I did a quick extra audit to spot and fix the missing ip6tables parts. (People like to forget ip6tables it seems.) Extension modules were, to the best of my knowledge, already audited in v1.4.3-rc1-10-gcea9f71. Reported-by: Yar Odin <yarodin@gmail.com> References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org> References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2 References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: provide IPv6 zero address variableJan Engelhardt2009-04-031-1/+2
| | | | | | | | | | | | | | | | µClibc may not provide the in6addr_any variable when IPv6 is disabled. So just provide it ourselves. Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: add configure option to disable ipv4 iptablesJan Engelhardt2009-04-033-1/+9
| | | | | | | | | | | | This patch complements the previous one. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: add configure option to disable ip6tablesJan Engelhardt2009-04-033-4/+13
| | | | | | | | | | | | | | | | This also skips building the IPv6 extensions. It does not #ifdef out all code however, I think that would make it too ugly. Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: do not run ldconfig for DESTDIR installationsJan Engelhardt2009-04-031-3/+2
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: reorder .version memberJan Engelhardt2009-04-032-4/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | When the structure's layout changes, as it did between v1.4.1 and v1.4.2, trying to compare the version string makes iptables segfault while it tries to determine whether the module is compatible in the first place. By moving the member to a known offset in the struct and keeping it there, objects (both iptables and 3rd party) compiled from this commit onwards will avoid the segfault. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables-multi: support "iptables-static" as a callable nameJan Engelhardt2009-03-242-2/+4
| | | | | | | | | | | | iptables multi-purpose version: unknown applet name iptables-static Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcpmss: fix an inversion while parsing --mssJan Engelhardt2009-03-241-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: refer to dmesg if we hit EINVALv1.4.3.1Pablo Neira Ayuso2009-03-242-7/+18
| | | | | | | | | | | | | | With this patch, iptables refers to dmesg for further troubleshooting if we hit EINVAL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge commit 'v1.4.3'Jan Engelhardt2009-04-040-0/+0
|\ \ | |/ |/| | | Connect history to the tag.
| * Bump version to 1.4.3v1.4.3Patrick McHardy2009-03-232-2/+2
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | build: bump version to 1.4.3.1Pablo Neira Ayuso2009-03-241-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: fix linker issue when LDFLAGS contains --as-neededPeter Volkov2009-03-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | The link of iptables-save fails on: $ make LDFLAGS="-Wl,--as-needed" [...] extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check': extensions/libxt_RATEEST.c:164: undefined reference to `log' Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxt_hashlimit: add missing space for iptables-save outputJan Engelhardt2009-03-241-1/+1
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxtables: fix compile error due to incomplete changePeter Volkov2009-03-241-1/+1
| | | | | | | | | | | | | | | | Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update the constant in one place, and the compile error triggered only when -DNO_SHARED_LIBS (configure --disable-shared) was in effect. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables-save: minor corrections to the manpage markupJan Engelhardt2009-03-242-10/+8
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: give credits to my selfJesper Dangaard Brouer2009-03-231-0/+5
| | | | | | | | Add notes about my scalability work on the library libiptc. This should make in more obvious who to complain to. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix whitespaces and typosJesper Dangaard Brouer2009-03-231-41/+41
| | | | | | | Cleanup whitespaces while going through the code. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix chain rename bug in libiptcJesper Dangaard Brouer2009-03-231-1/+8
| | | | | | | | | Chain renaming (TC_RENAME_CHAIN) can result in an unsorted chain list. That breaks the requirement of the binary search done in iptcc_bsearch_chain_index(). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: avoid compile warnings for iptc_insert_chainChristoph Paasch2009-03-231-1/+1
| | | | | | | | iptc_insert_chain is too big to get inlined and so it generates a warning while compiling. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: module loading correctionsJan Engelhardt2009-03-194-8/+28
| | | | | | | | | | | | | | | | | | | 1. Ignore the absence of /proc/net/ip_tables_names, which happens when x_tables.ko is not loaded. This is equivalent to having x_tables.ko, but no tabe modules, loaded. As such, success should be returned. 2. Load table when explicitly requested by the -t option. Users might expect "*foo" etc. to be output when `iptables-save -t foo` is executed. So do autoload x_tables.ko and the table in this case. *. Do this for both iptables-save and ip6tables-save, and adjust the manpages for the new -M (modprobe program location) option that is introduced. Based upon a patch by Soren Hansen. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_comment: output quotes must be escaped inJan Engelhardt2009-03-191-1/+2
| | | | | Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: add -I/-L flags to pkgconfig filesJan Engelhardt2009-03-191-1/+2
| | | | | | | | These are needed in case iptables gets installed into a non-standard path. It also enables automatic detection of these locations from 3rd party programs via pkgconfig. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connbytes: document nf_ct_acct behaviorJan Engelhardt2009-03-171-0/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connbytes: minor manpage adustmentsJan Engelhardt2009-03-171-5/+5
| | | | | | Use explicit paragraph separator and conntrack(8). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-154-7/+7
|\
| * iptables: fix broken options-merging during libxtables reworkPablo Neira Ayuso2009-03-032-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes options-merging that was broken somewhere during the libxtables rework. Before this patch, two pointers were used to keep the current options, however, the options field in xt_params was not appropritely updated. Thus, xtables_free_opts() was not restoring the original options. This patch fixes iptables-restore and ip6tables-restore that stopped working in my personal firewall. % iptables-restore *filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED' Error occurred at line: 4 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * string: fix wrong pattern length calculationPablo Neira Ayuso2009-03-021-4/+4
| | | | | | | | | | | | | | | | This fixes a problem introduced in 37b4bde745698bf140d74e59a2561f34deeb8726 that leads to the wrong calculation of the pattern length in the string match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: Add limits.h to get INT_MIN, INT_MAX, ...Stephen Hemminger2009-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | Fix build failure of iptables utilities on debian/ubuntu, maybe other distros. The values INT_MIN and INT_MAX are used by many filters and these are defined in limits.h --- patch against current iptables.git Signed-off-by: Patrick McHardy <kaber@trash.net>
* | iptables: turn deprecation warning into enforcing modeJan Engelhardt2009-03-151-4/+3
| | | | | | | | | | | | | | The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72 with a warning "next release". Next release is coming up, so enforce it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: add missing limits.h includeJan Engelhardt2009-02-2110-0/+18
| | | | | | | | | | | | Thanks to Stephen Hemminger for noticing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-2120-114/+117
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: use bounded strtouiJan Engelhardt2009-02-212-6/+14
| | | | | | | | | | reqid and SPI can only have a value in the range 0..UINT32_MAX, not the entire range of the "long" type. Also throw an error if the incoming string does not look like a pure number. "Replaces" commit 6db2ded2f22a7e78743c86af523b8430876582e9. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove unwanted/add needed includes for IPv4 extsJan Engelhardt2009-02-2116-15/+2
| | | | | | | Most touched files do not use anything from ip_tables.h, so remove that #include. multiport instead, does need it (ipt_entry). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove unwanted/add needed includes for IPv6 extsJan Engelhardt2009-02-218-9/+3
| | | | | | | Most touched files do not use anything from ip6_tables.h, so remove that #include. multiport instead, does need it (ip6t_entry). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-2190-746/+746
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: inline and remove unused OPTION_OFFSET macroJan Engelhardt2009-02-212-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: resynchronize manpage with in-code helpJan Engelhardt2009-02-214-10/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffffChristian Perle2009-02-172-4/+4
| | | | | | | | | | | http://bugzilla.netfilter.org/show_bug.cgi?id=577 When using the -m policy match, the option argument for --spi is converted using strtol(), which returns a signed 32 bit value, so the highest positive value is 0x7fffffff. Instead strtoul() should be used. The same applies for the --reqid option argument. Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: do not put IPv4 doc into ip6tables.8Jan Engelhardt2009-02-171-11/+5
| | | | | Reference: http://bugs.debian.org/515752 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: trigger reconfigure when extensions/GNUmakefile.in changesJan Engelhardt2009-02-171-1/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: make library available as a shared libraryJan Engelhardt2009-02-165-9/+27
| | | | | Tested-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: general follow-up cleanupJamal Hadi Salim2009-02-1311-87/+64
| | | | | | Kill program_name, program_version and xtables_program_name. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate init calls into one functionJamal Hadi Salim2009-02-1310-39/+76
| | | | | | | | | | | Introduce xtables_init_all() which hides three calls xtables_init(), xtables_set_nfproto(), and xtables_set_params(). Make ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use it. I moved xtables_set_params around for readability reasons. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate merge_options into xtables_merge_optionsJamal Hadi Salim2009-02-134-70/+41
| | | | | | | | Introduce xtables_merge_options() for re-use reasons. Apps can use it instead of each defining their own merge_options(). Made iptables and ip6tables use the new shared interface. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* build: remove unneeded -ldl from iptables_xml_LDADDJan Engelhardt2009-02-121-1/+1
| | | | | | Addendum to commit 5c3e0767764bb7fa1db61ac326e8359161380e21. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>