summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Bump versionv1.4.4Patrick McHardy2009-06-161-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable' of git://dev.medozas.de/iptablesPatrick McHardy2009-06-1112-30/+39
|\
| * manpages: markup correctionsJan Engelhardt2009-06-105-26/+25
| | | | | | | | | | | | | | | | The manpage of xt_cluster and xt_recent had some unclosed tags. Backslashes in commands are also not wanted because manpages are a freeform, automatically-wrapped text. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: close open file descriptorsJan Engelhardt2009-06-105-0/+8
| | | | | | | | | | | | | | Just for correctness, close some file descriptors that were opened. (E.g. ip6tables-save reading from procfs files.) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_connlimit: initialize v6_maskkd6lvw2009-06-101-1/+3
| | | | | | | | | | | | | | | | | | | | When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the code uses a left shift on v6_mask[n]. This requires v6_mask to be filled with all one-bits beforehand, but this initialization was not done. References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcp: manpage corrections and suggestionsIan Bruce2009-06-081-2/+2
| | | | | | | | | | | | | | | | | | | | From: Ian Bruce <ian_bruce@fastmail.net> The commit corrects some minor errors in the iptables(8) man page, related to port ranges in the "tcp" module. Reference: http://bugs.debian.org/531677 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcp: fix a manpage syntax typoFrank Tobin2009-06-081-1/+1
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Updated set/SET match and target to support multiple ipset protocols.Jozsef Kadlecsik2009-06-115-44/+65
|/ | | | | | | | | | | By checking the protocol version of the kernel part, the sockopt type of ipset protocols are all supported. Forward compatibility with the netlink based protocol is missing. The --set option of the set match is replaced by --match-set to avoid clashing with the recent match, but the old option is also kept. Manpages are updated, references to bindings removed.
* extensions: remove redundant castsJan Engelhardt2009-06-082-8/+8
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* DNAT/SNAT: add manpage documentation for --persistent flagJan Engelhardt2009-06-083-4/+12
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: use NFPROTO_UNSPEC for .family fieldJan Engelhardt2009-06-0117-19/+19
| | | | | | | | This constant would be the designated one for the .family field; it also, given recent changes, makes grep for NFPROTO_UNSPEC work to finally recollect all manpages. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix manpage collectionJan Engelhardt2009-06-011-1/+4
| | | | | | | | | | | | Florian Westphal points out that v1.4.3.2-9-gc304d77 greps for the keyword in the wrong file, and that files with NFPROTO_UNSPEC are skipped. This patch corrects that part, and makes `make` now output the manpages it collected. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: merge ipv6 and ipv4 variantJan Engelhardt2009-06-012-463/+114
| | | | | | | | The files duplicate most of their code, and struct ipt_policy_info being defined to xt_policy_info makes them actually have even more in common. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: use direct xt_policy_info instead of ipt/ip6tJan Engelhardt2009-05-312-66/+66
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_policy: remove redundant functionsJan Engelhardt2009-05-311-40/+8
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* manpages: do not include v4-only modules in ip6tables manpageJan Engelhardt2009-05-261-5/+5
| | | | | References: http://bugs.debian.org/529954 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* addrtype: fix one manpage typeJan Engelhardt2009-05-261-1/+1
| | | | | References: http://bugs.debian.org/528457 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: replace open-coded sizeof by ARRAY_SIZEJan Engelhardt2009-05-2618-104/+47
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-2628-80/+67
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: use extern "C"Jan Engelhardt2009-05-261-0/+8
| | | | | | This fixes linking errors for 3rd-party C++ code. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Add new COMMIT_NOTES documentJan Engelhardt2009-05-251-0/+15
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* xtables: fix segfault if incorrect protocol name is usedPablo Neira Ayuso2009-05-121-0/+3
| | | | | | | | | | | | | | | | This patch fixes a segfault that can be triggered if you use an incorrect protocol, e.g. # iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21 Segmentation fault With this patch: # iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21 iptables v1.4.3.2: unknown protocol `lala' specified Try `iptables -h' or 'iptables --help' for more information Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add `cluster' match supportPablo Neira Ayuso2009-05-063-0/+317
| | | | | | This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* SNAT/DNAT: add support for persistent multi-range NAT mappingsPatrick McHardy2009-04-173-2/+22
| | | | | | | Add support for persistent mappings (2.6.29-rc2+) as replacement for the removed SAME target. Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: bump version to 1.4.3.2v1.4.3.2Pablo Neira Ayuso2009-04-061-1/+1
| | | | | | This patch bumps iptables version to 1.4.3.2 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_conntrack: properly output negation symbolJan Engelhardt2009-04-051-4/+4
| | | | | | | | | Because the wrong flag was checked, the "!" was either wrongly printed, or not printed at all. This was broken since v1.4.0-29-ga8ad34c. Reported-by: Steven Jan Springl <steven@springl.ukfsn.org> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* CLASSIFY: document non-standard interpretation behaviorJan Engelhardt2009-04-042-2/+3
| | | | | | | | Most other extensions use strtoul (by means of xtables_strtoui) and would abide by the standard convention of hex/octal prefixes 0x/0, and decimal otherwise, but CLASSIFY is an exception. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'plus'Jan Engelhardt2009-04-0412-35/+75
|\
| * iptables: print negation extrapositionedJan Engelhardt2009-04-042-12/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch combines the two referenced ones by Peter. I did a quick extra audit to spot and fix the missing ip6tables parts. (People like to forget ip6tables it seems.) Extension modules were, to the best of my knowledge, already audited in v1.4.3-rc1-10-gcea9f71. Reported-by: Yar Odin <yarodin@gmail.com> References: http://bugs.gentoo.org/264089 Reported-by: Peter Volkov <pva@gentoo.org> References: http://marc.info/?l=netfilter-devel&m=123883867907935&w=2 References: http://marc.info/?l=netfilter-devel&m=123883992508943&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: provide IPv6 zero address variableJan Engelhardt2009-04-031-1/+2
| | | | | | | | | | | | | | | | µClibc may not provide the in6addr_any variable when IPv6 is disabled. So just provide it ourselves. Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=569 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: add configure option to disable ipv4 iptablesJan Engelhardt2009-04-033-1/+9
| | | | | | | | | | | | This patch complements the previous one. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: add configure option to disable ip6tablesJan Engelhardt2009-04-033-4/+13
| | | | | | | | | | | | | | | | This also skips building the IPv6 extensions. It does not #ifdef out all code however, I think that would make it too ugly. Inspired-by: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: do not run ldconfig for DESTDIR installationsJan Engelhardt2009-04-031-3/+2
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=560 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: reorder .version memberJan Engelhardt2009-04-032-4/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | When the structure's layout changes, as it did between v1.4.1 and v1.4.2, trying to compare the version string makes iptables segfault while it tries to determine whether the module is compatible in the first place. By moving the member to a known offset in the struct and keeping it there, objects (both iptables and 3rd party) compiled from this commit onwards will avoid the segfault. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables-multi: support "iptables-static" as a callable nameJan Engelhardt2009-03-242-2/+4
| | | | | | | | | | | | iptables multi-purpose version: unknown applet name iptables-static Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcpmss: fix an inversion while parsing --mssJan Engelhardt2009-03-241-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: refer to dmesg if we hit EINVALv1.4.3.1Pablo Neira Ayuso2009-03-242-7/+18
| | | | | | | | | | | | | | With this patch, iptables refers to dmesg for further troubleshooting if we hit EINVAL. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge commit 'v1.4.3'Jan Engelhardt2009-04-040-0/+0
|\ \ | |/ |/| | | Connect history to the tag.
| * Bump version to 1.4.3v1.4.3Patrick McHardy2009-03-232-2/+2
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | build: bump version to 1.4.3.1Pablo Neira Ayuso2009-03-241-1/+1
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | build: fix linker issue when LDFLAGS contains --as-neededPeter Volkov2009-03-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | The link of iptables-save fails on: $ make LDFLAGS="-Wl,--as-needed" [...] extensions/libext4.a(libxt_RATEEST.o): In function `RATEEST_final_check': extensions/libxt_RATEEST.c:164: undefined reference to `log' Helpful Reference: http://www.gentoo.org/proj/en/qa/asneeded.xml Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxt_hashlimit: add missing space for iptables-save outputJan Engelhardt2009-03-241-1/+1
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=568 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxtables: fix compile error due to incomplete changePeter Volkov2009-03-241-1/+1
| | | | | | | | | | | | | | | | Commit 2338efd8f799d8373dc196c797bda9690283b698 forgot to update the constant in one place, and the compile error triggered only when -DNO_SHARED_LIBS (configure --disable-shared) was in effect. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables-save: minor corrections to the manpage markupJan Engelhardt2009-03-242-10/+8
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: give credits to my selfJesper Dangaard Brouer2009-03-231-0/+5
| | | | | | | | Add notes about my scalability work on the library libiptc. This should make in more obvious who to complain to. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix whitespaces and typosJesper Dangaard Brouer2009-03-231-41/+41
| | | | | | | Cleanup whitespaces while going through the code. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix chain rename bug in libiptcJesper Dangaard Brouer2009-03-231-1/+8
| | | | | | | | | Chain renaming (TC_RENAME_CHAIN) can result in an unsorted chain list. That breaks the requirement of the binary search done in iptcc_bsearch_chain_index(). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: avoid compile warnings for iptc_insert_chainChristoph Paasch2009-03-231-1/+1
| | | | | | | | iptc_insert_chain is too big to get inlined and so it generates a warning while compiling. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: module loading correctionsJan Engelhardt2009-03-194-8/+28
| | | | | | | | | | | | | | | | | | | 1. Ignore the absence of /proc/net/ip_tables_names, which happens when x_tables.ko is not loaded. This is equivalent to having x_tables.ko, but no tabe modules, loaded. As such, success should be returned. 2. Load table when explicitly requested by the -t option. Users might expect "*foo" etc. to be output when `iptables-save -t foo` is executed. So do autoload x_tables.ko and the table in this case. *. Do this for both iptables-save and ip6tables-save, and adjust the manpages for the new -M (modprobe program location) option that is introduced. Based upon a patch by Soren Hansen. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_comment: output quotes must be escaped inJan Engelhardt2009-03-191-1/+2
| | | | | Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>