| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\| |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This passes the per-extension data block to the new x6_fcheck function
pointer, which can then do last alterations without using hacks
like global variables (think libxt_statistic).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patchset seeks to drastically reduce the code in the individual
extensions by centralizing their argument parsing (breakdown of
strings), validation, and in part, assignment.
As a secondary goal, this reduces the number of static storage duration
variables in flight.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Addendum to v1.4.10-75-g4e5d4bf. It does not make sense to use
ipv6header's --soft without specifying any options.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | | |
The direction parser did not catch when more src/dst direction
parameters were supplied than allowed.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Commit v1.4.9-35-gd4105ad changed from [A-Z] and [a-z] to use
[[:alnum:]], which unfortunately drew matches into the target section,
and targets into the match section. [[:upper:]] and [[:lower:]] should
have been used instead, of course.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
(actually only applies to two comments, since the
function has long been called do_command6)
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Matches and targets built into the iptables static binary will always
be registered as the binary starts up, this may potentially (as a result
of kernel version support checking) result in modules being autoloaded.
This is undesirable (for example it may cause CONNMARK target to load
and thus cause the kernel to load the conntrack module, which isn't a
no-op).
Transition to a system where matches and targets are registered into
a pending list, from whence they get fully registered only when
required.
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
|
|
| |
An IPv6 address consists of eight hexadecimal 16-bit values seperated
by colons, or alternatively, six (not five) of these followed by a colon
and an IPv4 address in standard dotted decimal quad notation
(for IPv4 mapped addresses and the like).
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
(This is iptables-1.4.3.1-cloexec.patch from RedHat iptables.src.rpm)
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Thomas Graf <tgraf@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is often useful to check whether a specific rule is already present
in a chain without actually modifying the iptables config.
Services like fail2ban usually employ techniques like grepping through
the output of "iptables -L" which is quite error prone.
This patch adds a new operation -C to the iptables command which
mostly works like -D; it can detect and indicate the existence of the
specified rule by modifying the exit code. The new operation
TC_CHECK_ENTRY uses the same code as the -D operation, whose functions
got a dry-run parameter appended.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
| |
I found the subcommand handling and naming done by iptables-multi and
ip6tables-multi very confusing and complicated; this patch
reorganizes the subcommands in a single table, allowing both variants
of them to be used (iptables/main) and also prints a list of the
allowed commands if an unknown command is entered by the user.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
This shall make it easier to identify outdated HTML renditions on the
interwebs, since many of them do not display the .TH header like man(1)
does.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Revisiting the original condition (viewable in git log -1 -p
v1.4.10-57-gacef604), one can notice an unforuntate inversion. This
commit corrects this.
Testcase: -A INPUT -p tcp --dport 1
Reported-by: Florian Westphal
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
