Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | iptables: handle cidr notation more sanely (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-07-10 | 1 | -0/+30 |
| | | | | | | | | | | | | | | | | At present, a command such as iptables -A foo -s 10.10/16 will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end up with 10.0.0.0/16, which likely isn't what the user intended. Yet some people do expect 10.10 (without the cidr notation) to end up as 10.0.0.10. The below patch should satisfy all parties. It zero pads the missing octets only in the cidr case, leaving the IP untouched otherwise. This resolves bug #422 | ||||
* | please kill santa-claus (Pierre-Yves Ritschard <pierre-yves@spootnik.org>) | Pierre-Yves Ritschard | 2006-07-05 | 1 | -1/+0 |
| | | | | Remove "hoho" message :) | ||||
* | libiptc symbols clash (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-07-05 | 2 | -0/+4 |
| | | | | | As reported by Dmitry Levin, the TC_NUM_RULES and TC_GET_RULE exports clash. His patch below, resolving bug #456 | ||||
* | - force user to specify --icmpv6-type if icmpv6 match is required to load | Yasuyuki KOZAKAI | 2006-07-04 | 2 | -1/+11 |
| | | | | | | - Don't allow multiple --icmp-type/icmpv6-type (Closes: #461) | ||||
* | ip6tables multiport does not support x:y (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-07-03 | 1 | -5/+4 |
| | | | | | | | | | | Update the manpage for ip6tables multiport match to reflect reality -- it does not (yet) support x:y syntax. I looked at adding it, but adding revision support to ip6tables seems a waste at this point, since once xtables support is added to iptables, this problem will resolve itself. Closes bug #451. | ||||
* | iptables trivial compile warning cleanup (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-07-03 | 2 | -4/+6 |
| | | | | | | | | | | | Cleanup a few compile warnings in latest snapshot: extensions/libipt_dscp_helper.c:69: warning: 'dscp_to_name' defined but not used extensions/libipt_sctp.c: In function 'print_chunks': extensions/libipt_sctp.c:465: warning: value computed is not used extensions/libipt_sctp.c:477: warning: value computed is not used Resolves bug #457. | ||||
* | size_t changed to socklen_t in getsockopt call | Joszef Kadlecsik | 2006-06-23 | 1 | -3/+3 |
| | |||||
* | set match negation bug fixed | Joszef Kadlecsik | 2006-06-23 | 2 | -3/+3 |
| | |||||
* | REDIRECT does not accept IP (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-06-20 | 1 | -0/+3 |
| | | | | | | As pointed out by Nicolas Mailhot in bugzilla #483, REDIRECT does not accept an IP address and when supplied with one, provides unexpected results. Patch below fixes this. | ||||
* | Add new exit value to indicate concurrency issues (Jesper Dangaard Brouer ↵ | Jesper Dangaard Brouer | 2006-06-19 | 2 | -2/+7 |
| | | | | <hawk@comx.dk>) | ||||
* | trivial connlimit manpage fix (Phil Oester <kernel@linuxace.com>) | Phil Oester | 2006-05-29 | 1 | -2/+2 |
| | |||||
* | Use lowercase letters for match name (Simon Lodal <simonl@parknet.dk>) | Simon Lodal | 2006-05-24 | 1 | -4/+4 |
| | |||||
* | Add information about :<port> syntax (Evan Miller <evanm@frap.net>) | Evan Miller | 2006-05-24 | 1 | -2/+3 |
| | |||||
* | secmark: Add libip6t_CONNSECMARK | James Morris | 2006-05-24 | 3 | -1/+140 |
| | | | | | | | This patch adds the shared library module for the CONNSECMARK target (IPv6). Signed-off-by: James Morris <jmorris@namei.org> | ||||
* | D'oh .. I'm not too smart, forgot to add the new files in the previous ↵ | Patrick McHardy | 2006-05-24 | 6 | -0/+405 |
| | | | | patches :) | ||||
* | secmark: Add libipt_CONNSECMARK | James Morris | 2006-05-24 | 1 | -1/+1 |
| | | | | | | | This patch adds the shared library module for the CONNSECMARK target (IPv4). Signed-off-by: James Morris <jmorris@namei.org> | ||||
* | secmark: Add libip6t_SECMARK | James Morris | 2006-05-24 | 1 | -1/+1 |
| | | | | | | This patch adds the shared library module for the SECMARK target (IPv6). Signed-off-by: James Morris <jmorris@namei.org> | ||||
* | secmark: Add libipt_SECMARK | James Morris | 2006-05-24 | 1 | -1/+1 |
| | | | | | | This patch adds the shared library module for the SECMARK target (IPv4). Signed-off-by: James Morris <jmorris@namei.org> | ||||
* | secmark: Add libselinux support | James Morris | 2006-05-24 | 3 | -4/+36 |
| | | | | | | | | | This patch adds the infrastructure for linking iptables against libselinux, for use with the SECMARK target. This is enabled by setting DO_SELINUX=1 in the build environment. Signed-off-by: James Morris <jmorris@namei.org> | ||||
* | Add DCCP/SCTP support to multiport. Patch for kernel will go in 2.6.18. | Patrick McHardy | 2006-04-28 | 4 | -16/+58 |
| | |||||
* | Replace annoying "Something wrong... deleting dependencies" message by ↵ | Patrick McHardy | 2006-04-28 | 1 | -1/+1 |
| | | | | something more useful. | ||||
* | Don't overwrite errno with return value of setsockopt (which is -1 on error). | Patrick McHardy | 2006-04-22 | 1 | -6/+2 |
| | | | | Fixes "Unknown error 4294967295" message (bugzilla #460). | ||||
* | Revert incorrect fix for "Unknown error 4294967295" problem | Patrick McHardyHarald Welte | 2006-04-22 | 1 | -2/+0 |
| | |||||
* | When entering an invalid command (such as iptables -A INPUT -j MARK --set-mark | Harald Welte | 2006-04-21 | 1 | -0/+2 |
| | | | | 1), the error message "Unknown error 4294967295" is displayed; (Closes: #460) | ||||
* | In ip[6]tables.c, NUMBER_OF_OPT was increased to 12 for the OPT_COUNTERS | Patrick McHardyHarald Welte | 2006-04-22 | 2 | -30/+32 |
| | | | | | | option. However, the new array element is not initialized in either commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or inverse_for_options[NUMBER_OF_OPT]. (Closes: #462) | ||||
* | cmdflags is used in cmd2char() to return the option for a command. It uses the | Harald Welte | 2006-04-21 | 2 | -4/+2 |
| | | | | | | bit position of the command mask as an index in the array. There's no entry for CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the array. (Closes: #463) | ||||
* | [IPTABLES,IP6TABLES]: check invalid esp spi range | Yasuyuki KOZAKAI | 2006-04-15 | 2 | -0/+6 |
| | |||||
* | [IP6TABLES] kill manual comparing protocol name with "ipv6-icmp". | Yasuyuki KOZAKAI | 2006-04-15 | 1 | -3/+1 |
| | |||||
* | fix loading shared library of ICMPv6 match. | Yasuyuki KOZAKAI | 2006-04-15 | 3 | -1/+1 |
| | | | | | | | | | | | | | The current ip6tables tries to load libip6t_icmp6.so when user types 'ip6tables -p icmpv6 ...' or 'ip6tables ... -m icmpv6' ...', and it fails. This patch renames libip6t_icmpv6.c to libip6t_icmp6.c so that ip6tables can load it. Now kernel module and user library has same name 'icmp6'. It can reduce confusion about name mismatch. That's why I renamed it instead of reverting change in find_match() which brought this bug. This patch keeps compatibiity and we can use '-p icmpv6', '-p ipv6-icmpv6', '-m icmpv6', '-m ipv6-icmpv6', and '-m icmp6', as ever. | ||||
* | [IPTABLES,IP6TABLES]: fix the path to detect esp/connbytes support in kernel | Harald Welte | 2006-04-12 | 2 | -2/+2 |
| | | | | The recent kernels don't have ipt_connbytes.c and ip6t_esp.c. | ||||
* | Correct iptables-save output of osf module (Daniel De Graaf) | Daniel De Graaf | 2006-03-31 | 1 | -0/+8 |
| | |||||
* | don't allow to specify protocol of IPv6 extension header (Yasuyuki Kozakai) | Yasuyuki KOZAKAI | 2006-03-29 | 1 | -0/+16 |
| | | | | | | | Sometimes I hear that people do 'ip6tables -p ah ...' which never matches any packet. IPv6 extension headers except of ESP are skipped and invalid as argument of '-p'. Then I propose that ip6tables exits with error in such case. | ||||
* | Multiple matches of the same type can be specified on the commandline. | Joszef Kadlecsik | 2006-03-03 | 4 | -32/+84 |
| | | | | | | | | | | If two or more matches of the same type are detected then the options are assumed to be grouped in order to tell which option belongs to which match: ... -m foo ... <options0> ... -m foo ... <options1> ... Otherwise the commandline parsing is unmodified. | ||||
* | Make '-p all' a special case that is handled before calling getprotoent() ↵ | Harald Welte | 2006-02-11 | 2 | -2/+14 |
| | | | | (Closes: #446) | ||||
* | fix double-free if a single match is used multiple times within a signle rule | Harald Welte | 2006-02-11 | 2 | -2/+6 |
| | | | | | | (Closes: #440). However, while this fixes the double-free, it still doesn't make iptables support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous matchinfo instances. | ||||
* | don't install libiptc.a | Harald Welte | 2006-02-09 | 1 | -1/+2 |
| | |||||
* | fix segfault or loading of invalid counters in ip[6]tables-restore (Olaf ↵ | Harald Welte | 2006-02-09 | 2 | -2/+8 |
| | | | | Rempel) (Closes: #437) | ||||
* | make policy match compile independant of kernel headersv1.3.5 | Harald Welte | 2006-02-01 | 3 | -2/+6 |
| | |||||
* | Some !%$!*##$@ has modified the kernel include/linux/netfilter_ipv4/ipt_sctp.h | Harald Welte | 2006-02-01 | 1 | -0/+13 |
| | | | | file in a way that breaks userspace :( | ||||
* | fix ipt_conntrack compilation against very early (2.4.0) kernel releases | Harald Welte | 2006-02-01 | 1 | -1/+1 |
| | |||||
* | remove other bits of old ip pool code, people should use ipset ↵ | Harald Welte | 2006-02-01 | 5 | -323/+2 |
| | | | | (ipset.netfilter.org) these days | ||||
* | remove ippool | Harald Welte | 2006-02-01 | 3 | -679/+0 |
| | |||||
* | Prepare policy match for x_tables unification by making sure both | Patrick McHardy | 2006-01-31 | 7 | -16/+126 |
| | | | | ipt_policy and ip6t_policy use the same data structure. | ||||
* | fix 'save' (Michael Rash) | Michael Rash | 2006-01-30 | 1 | -2/+2 |
| | |||||
* | major manpage update (Yasuyuki Kozakai) | Yasuyuki KOZAKAI | 2006-01-30 | 27 | -88/+149 |
| | |||||
* | Add 'copy+paste' support for 'state' and 'connmark' match, as well as | Harald Welte | 2006-01-26 | 4 | -1/+535 |
| | | | | 'CONNMARK' target for ip6tables / nf_conntrack_l3proto_ipv6. This is a temporary solution for the iptables-1.3.x branch, since the 1.4.x branch will have proper support. | ||||
* | add note about deprecated state | Harald Welte | 2006-01-26 | 1 | -0/+2 |
| | |||||
* | fix spelling 'adress' -> 'address' (Closes: #431) (MJ Anthony) | Harald Welte | 2006-01-22 | 2 | -2/+2 |
| | |||||
* | Fix "empty policy element" complaining in non-strict mode. | Noticed by Tom Eastep | 2006-01-22 | 2 | -2/+4 |
| | | | | Noticed by Tom Eastep <teastep@shorewall.net>. | ||||
* | Clarify --tunnel-src/--tunnel-dst options | Patrick McHardy | 2006-01-12 | 2 | -6/+10 |
| |