summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libxt_CT: Add the "NOTRACK" aliasJozsef Kadlecsik2013-07-243-3/+54
| | | | | | | Available since Linux kernel 3.8. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_LOG: target output is different to libipt_LOGPhil Oester2013-07-241-2/+4
| | | | | | | | | libipt_LOG is using the xtables_save_string func, which escapes unsafe characters as needed. libip6t_LOG should do the same. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_recent: restore minimum value for --secondsPablo Neira Ayuso2013-07-241-1/+1
| | | | | | | This checking was accidentally removed in (74ded72 libxt_recent: add --mask netmask). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlabel: use libnetfilter_conntrackFlorian Westphal2013-07-166-127/+45
| | | | | | | | | | | | | | | | | Pablo suggested to make it depend on lnf-conntrack, and get rid of the example config file as well. The problem is that the file must be in a fixed path, /etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file" when translating names to their bit values (and vice versa). Originally "make install" did put an example file into /etc/xtables/, but distributors complained about iptables ignoring the sysconfdir. So rather remove the example file, the man-page explains the format, and connlabels are inherently system-specific anyway. Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: libipt_ULOG: man page should mention NFLOG as replacementFlorian Westphal2013-07-151-1/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_recent: restore reap functionality to recent moduleRussell Senior2013-07-151-0/+2
| | | | | | | | | | | | The reap functionality appears to have been accidentally disabled by (74ded72 libxt_recent: add --mask netmask) since iptables 1.4.15 and later. This adds a patch to restore reap functionality for recent_opts_v1. Patch obtained via: http://patchwork.openwrt.org/patch/3812/ Signed-off-by: Russell Senior <russell@personaltelco.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip{6}tables-restore: fix breakage due to new locking approachPablo Neira Ayuso2013-07-088-10/+22
| | | | | | | | | | | | | | | | Since (93587a0 ip[6]tables: Add locking to prevent concurrent instances), ip{6}tables-restore does not work anymore: iptables-restore < x Another app is currently holding the xtables lock. Perhaps you want to use the -w option? do_command{6}(...) is called from ip{6}tables-restore for every iptables command contained in the rule-set file. Thus, hitting the lock error after the second command. Fix it by bypassing the locking in the ip{6}tables-restore path. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6tables: don't print out /128Phil Oester2013-07-081-1/+5
| | | | | | | | Similar to how iptables does not print /32 on IPv4 addresses, ip6tables should not print out /128 on IPv6 addresses. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* doc: clarify DEBUG usage macroAlexey Perevalov2013-07-081-0/+2
| | | | | Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com> Signed-off-by: Pablo Neira Ayuso <pablo@gnumonks.org>
* Merge branch 'stable'Pablo Neira Ayuso2013-06-121-2/+2
|\ | | | | | | Get c545933 iptables: Fix connlabel.conf install location
| * iptables: Fix connlabel.conf install locationPhil Oester2013-06-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | As reported by Danny Rawlins in bug #828, connlabel.conf is unconditionally installed in /etc/xtables instead of using prefix set at configure time. Fix to use sysconfdir variable. This closes bugzilla #828. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | ip[6]tables: Add locking to prevent concurrent instancesPhil Oester2013-06-116-2/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There have been numerous complaints and bug reports over the years when admins attempt to run more than one instance of iptables simultaneously. Currently open bug reports which are related: 325: Parallel execution of the iptables is impossible 758: Retry iptables command on transient failure 764: Doing -Z twice in parallel breaks counters 822: iptables shows negative or other bad packet/byte counts As Patrick notes in 325: "Since this has been a problem people keep running into, I'd suggest to simply add some locking to iptables to catch the most common case." I started looking into alternatives to add locking, and of course the most common/obvious solution is to use a pidfile. But this has various downsides, such as if the application is terminated abnormally and the pidfile isn't cleaned up. And this also requires a writable filesystem. Using a UNIX domain socket file (e.g. in /var/run) has similar issues. Starting in 2.2, Linux added support for abstract sockets. These sockets require no filesystem, and automatically disappear once the application terminates. This is the locking solution I chose to implement in ip[6]tables. As an added bonus, since each network namespace has its own socket pool, an ip[6]tables instance running in one namespace will not lock out an ip[6]tables instance running in another namespace. A filesystem approach would have to recognize and handle multiple network namespaces. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Introduce a new revision for the set match with the counters supportJozsef Kadlecsik2013-06-074-12/+312
| | | | | | | | | | | | | | | | The revision add the support of matching the packet/byte counters if the set was defined with the extension. Also, a new flag is introduced to suppress updating the packet/byte counters if required. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* | extensions: libxt_LOG: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-06-072-37/+3
| | | | | | | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Florian Westphal <fw@strlen.de>
* | extensions: libxt_MASQUERADE: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-06-072-36/+4
| | | | | | | | | | | | | | also update list of protocols valid for port mapping. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Florian Westphal <fw@strlen.de>
* | configure: display summaryEric Leblond2013-06-051-2/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a message at the end of configure which displays the different compilation options and system settings. An example output is the following: Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no Build parameters: Put plugins into executable (static): no Support plugins via dlopen (shared): yes Installation prefix (--prefix): /usr/local Xtables extension directory: /usr/local/lib/xtables Pkg-config directory: /usr/local/lib/pkgconfig Kernel build directory: /lib/modules/custom Host: x86_64-unknown-linux-gnu GCC binary: gcc Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'stable'Pablo Neira Ayuso2013-05-301-2/+1
|\| | | | | | | Get fix for LED extension.
| * extensions: libxt_LED: fix parsing of delayPablo Neira Ayuso2013-05-301-2/+1
| | | | | | | | | | | | | | Closes bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=825 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | xtables: improve get_modprobe handlingPhil Oester2013-05-291-11/+11
| | | | | | | | | | | | | | | | | | | | | | In bug #455, Dmitry V. Levin proposed a more robust get_modprobe implementation. The patch below is a version of his patch, updated to apply to current git. This closes bug #455. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
* | iptables: use autoconf to process .in man pagesAndy Spencer2013-05-296-12/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@ was not processed in the VERSION section. It also simplifies the Makefile by avoiding some sed commands. [ Mangled this patch to rename iptables-extensions.8.in to iptables-extensions.8.tmpl.in to avoid having a file whose name is terminated by .in.in --pablo ] Signed-off-by: Andy Spencer <andy753421@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_SNAT: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-05-291-8/+7
| | | | | | | | | | | | | | | | | | | | | | This patch renames libipt_SNAT.man to libxt_SNAT.man thus informing about the IPv6 version. Also the list of valid protocols for port mapping is updated to: tcp, udp, dccp and sctp. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_NETMAP: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-05-291-0/+2
| | | | | | | | | | | | | | | | This patch renames libipt_NETMAP.man to libxt_NETMAP.man thus informing about the IPv6 version. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_REDIRECT: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-05-291-7/+6
| | | | | | | | | | | | | | | | | | | | | | This patch renames libipt_REDIRECT.man to libxt_REDIRECT.man thus informing about the IPv6 version. Also the list of valid protocols for port mapping is updated to: tcp, udp, dccp and sctp. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_DNAT: rename IPv4 manpage and tell about IPv6 supportMart Frauenlob2013-05-291-8/+7
| | | | | | | | | | | | | | | | | | | | | | This patch renames libipt_DNAT.man to libxt_DNAT.man thus informing about the IPv6 version, as suggested by Patrick McHardy. Also, it updates the list of valid protocols for port mapping is updated to: tcp, udp, dccp and sctp. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libip6t_mh: Correct command to list named mh types in manpageMart Frauenlob2013-05-291-1/+1
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add copyright statementsPatrick McHardy2013-05-299-0/+34
| | | | | | | | | | | | Add copyright statements to all extensions authored by myself. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: libxt_NFQUEUE: add --queue-cpu-fanout parameterholger@eitzenberger.org2013-05-293-3/+76
|/ | | | | Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.4.19.1 releasev1.4.19.1Pablo Neira Ayuso2013-05-291-1/+1
| | | | | | | Unfortunately, previous release was not included two patches that were applied by Florian recently. This release fixes it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.19Pablo Neira Ayuso2013-05-291-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention SNAT in INPUT chain since kernel 2.6.36Michael Roth2013-05-191-1/+10
| | | | | | | | SNAT in the INPUT chain was added Jun 2010 to the kernel (commit c68cd6cc21eb329c47ff020ff7412bf58176984e). Signed-off-by: Michael Roth <mail@mroth.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "extensions: add connlabel match" duplicateFlorian Westphal2013-05-151-4/+0
| | | | | | | | | | This reverts commit ca376fcbe51b9a102a490545957d5fee69e253e1 to get rid of the duplicated install-data-hook. This should get the tree back into the right state. Conflicts: Makefile.am
* libxtables: fix parsing of dotted network mask formatPablo Neira Ayuso2013-05-091-3/+35
| | | | | | | | | | | | | | After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken: -A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN With iptables 1.4.18: iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32) This was probably broken by the augmented parser. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add connlabel matchFlorian Westphal2013-05-065-0/+266
| | | | | | | | | | | | | | allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add connlabel matchFlorian Westphal2013-05-061-0/+4
| | | | | | | | | | | | | | allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: fix state match alias state parsingPatrick McHardy2013-04-261-10/+10
| | | | | | | | The conntrack match uses a different value for the UNTRACKED state than the state match. Translate states to conntrack states to make sure they all match. Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: libxt_multiport: Update manpage to list valid protocolsMart Frauenlob2013-04-191-4/+3
| | | | | | | | This patch updates the list of valid protocols in the man page section of the multiport match to: tcp, udp, udplite, dccp and sctp. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: clarify --bytecode argumentPablo Neira Ayuso2013-04-191-1/+1
| | | | | | | | | Mart Frauenlob suggested a change to explain the --bytecode better. I have added some reference to the example bytecode in the format that this argument accepts. Reported-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: updates .gitignore to include nfbpf_compilePablo Neira Ayuso2013-04-191-0/+1
| | | | | Reported-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_NFQUEUE: fix bypass option documentationFlorian Westphal2013-04-131-2/+2
| | | | | | | | | | Steve Caligo points out that the documentation says 'packet will move on to the next rule'. This is incorrect; packet moves to the next table. nf bugzilla #778. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_recent: Fix missing space in manpage for --mask optionMart Frauenlob2013-04-061-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable'Pablo Neira Ayuso2013-04-051-1/+1
|\ | | | | | | | | Resolve conflict with Nicolas' Dichtel update on utils/Makefile.am for nfnl_osf.
| * utils: nfnl_osf: use the right nfnetlink libNicolas Dichtel2013-04-051-1/+1
| | | | | | | | | | | | | | If the user specify libnfnetlink_LIBS during the configure, we must use it. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | utils: nfbpf_compileWillem de Bruijn2013-04-024-4/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A BPF compiler to convert tcpdump expressions to the decimal format accepted by the libxt_bpf. Generate a file and pass that to iptables: nfbpf_compile RAW 'udp dst port 9000' > test.bpf iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG Or pass the output directly to iptables using backticks: iptables -A INPUT -m bpf --bytecode \ "`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG This utility depends on libpcap. The library is only compiled if the option --enable-bpf-compiler is explicitly passed to ./configure and libpcap is found. Pablo has mangled the original patch to rename the utility to nfbpf_compile. Also modified the output to match exactly what -m bpf --bytecode needs. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: add libxt_bpf extensionWillem de Bruijn2013-04-023-0/+203
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add user-space code to support the new BPF iptables extension. Pablo has mangled the original patch to: * include a copy of include/linux/netfilter/xt_bpf.h in the tree. * I have also remove the --bytecode-file option. The original proposal was to accept BPF code in a file in human readable format. Now, with the nfbpf_compile utility, it's very easy to generate the filter using tcpdump-like syntax. * I have remove the trailing comma in the backtick format, the parser works just fine for me here. * Fix error message if --bytecode is missing. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libip6t_DNPT: add manpagePablo Neira Ayuso2013-04-011-0/+30
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libip6t_SNPT: add manpagePablo Neira Ayuso2013-04-011-0/+30
|/ | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_osf: fix bad location for location in --genrePablo Neira Ayuso2013-03-291-1/+4
| | | | | | | closes http://bugzilla.netfilter.org/show_bug.cgi?id=805 Reported-by: Bourne Without <blackhole@airpost.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_osf: fix missing --ttl and --log in save outputPablo Neira Ayuso2013-03-291-0/+4
| | | | | | | closes http://bugzilla.netfilter.org/show_bug.cgi?id=805 Reported-by: Bourne Without <blackhole@airpost.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip[6]tables: show --protocol instead of --proto in usageMart Frauenlob2013-03-292-2/+2
| | | | | | | | As the man page shows --protocol not --proto, also do so in the usage text displayed by ip[6]tables -h. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "build: resolve link failure for ip6t_NETMAP"Pablo Neira Ayuso2013-03-291-11/+7
| | | | | | | | | | | | | | | | | | This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6. The use of libtool was introduced to resolve linking problems in NETMAP (IPv6 version), but that resulted in RPATH problems reported from distributors and warnings spotted by libtool at linking stage. Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency) fixed the NETMAP issue, let's roll back to our previous stage. A small conflicts in extensions/GNUmakefile.in has been resolved in this revert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>