summaryrefslogtreecommitdiffstats
path: root/configure.ac
Commit message (Collapse)AuthorAgeFilesLines
* configure: bump version and libnftnl dependencyv1.8.0Florian Westphal2018-07-051-2/+2
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* xtables: add xtables-monitorFlorian Westphal2018-06-251-0/+1
| | | | | | | | | | | | | | | | | | | This is a partial revert of commit 7462e4aa757dc28e74b4a731b3ee13079b04ef23 ("iptables-compat: Keep xtables-config and xtables-events out from tree") and re-adds xtables-events under a new name, with a few enhancements, this is --trace mode, which replaces printk-based tracing, and an imroved event mode which will now also display pid/name and new generation id at the end of a batch. Example output of xtables-monitor --event --trace PACKET: 10 fa6b77e1 IN=wlan0 MACSRC=51:14:31:51:XX:XX MACDST=1c:b6:b0:ac:XX:XX MACPROTO=86dd SRC=2a00:3a0:2::1 DST=2b00:bf0:c001::1 LEN=1440 TC=18 HOPLIMIT=61 FLOWLBL=1921 SPORT=22 DPORT=13024 ACK PSH TRACE: 10 fa6b77e1 raw:PREROUTING:return: TRACE: 10 fa6b77e1 raw:PREROUTING:policy:DROP EVENT: -6 -t mangle -A PREROUTING -j DNPT --src-pfx dead::/64 --dst-pfx 1c3::/64 NEWGEN: GENID=6581 PID=15601 NAME=xtables-multi Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: add -Wlogical-op warning to cflagsFlorian Westphal2018-06-151-0/+1
| | | | | | It finds dead code in ebtables. Signed-off-by: Florian Westphal <fw@strlen.de>
* iptables 1.6.2 releasev1.6.2Pablo Neira Ayuso2018-02-021-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: change large file support handlingJuergen Borleis2017-10-041-2/+3
| | | | | | | | | The configure script handles the "--*-largefile" parameter badly. It always disables largefile support if given (and it doesn't matter if 'enable' or 'disable' was used). Signed-off-by: Juergen Borleis <jbe@pengutronix.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: Add a man page for nfnl_osfPhil Sutter2017-10-041-1/+2
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: move XT_LOCK_NAME from CFLAGS to config.h.Lorenzo Colitti2017-03-171-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This slightly simplifies configure.ac and results in more correct dependencies. Tested by running ./configure with --with-xt-lock-name and without, and using strace to verify that the right lock is used. $ make distclean-recursive && ./autogen.sh && ./configure --disable-nftables --prefix /tmp/iptables && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 $ make distclean-recursive && ./autogen.sh && \ ./configure --disable-nftables --prefix /tmp/iptables \ --with-xt-lock-name=/tmp/iptables/run/xtables.lock && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: set the path of the lock file via a configure option.Lorenzo Colitti2017-03-141-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the iptables lock is hardcoded as "/run/xtables.lock". Allow users to change this path using the --with-xt-lock-name option to ./configure option. This is useful on systems like Android which do not have /run. Tested on Ubuntu, as follows: 1. By default, the lock is placed in /run/xtables.lock: $ make distclean-recursive && ./autogen.sh && ./configure --disable-nftables --prefix /tmp/iptables && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 iptables: No chain/target/match by that name. 2. Specifying the lock results in the expected location being used: $ make distclean-recursive && ./autogen.sh && \ ./configure --disable-nftables --prefix /tmp/iptables \ --with-xt-lock-name=/tmp/iptables/run/xtables.lock && make -j64 && make install && sudo strace -e open,flock /tmp/iptables/sbin/iptables -L foo ... open("/tmp/iptables/run/xtables.lock", O_RDONLY|O_CREAT, 0600) = 3 flock(3, LOCK_EX|LOCK_NB) = 0 iptables: No chain/target/match by that name. Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.6.1 releasePablo Neira Ayuso2017-01-161-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: support ebpf pinned objectsWillem de Bruijn2016-12-101-1/+1
| | | | | | | | | | | | | | | Exercise the new kernel feature introduced in commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") to load pinned eBPF programs. The new interface allows instantiating a bpf match using -m bpf --object-pinned ${PATH} where ${PATH} points to a node in a bpf virtual filesystem. See also the revised man page. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: update libnetfilter_conntrack version dependencyPablo Neira Ayuso2016-11-101-1/+1
| | | | | | | nfct_labels_get_path() requires libnetfilter_conntrack-1.0.6, update this dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-1/+1
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Fix assignment statementShivani Bhardwaj2016-06-231-1/+1
| | | | | | | | | | | | The assignment statement was interpreted as executing enable_connlabel command with the argument "no". This was due to the whitespaces in the assignment. Fixes the trivial bug introduced in commit 3b7a227 (configure: Show support for connlabel) Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: Remove flex check warningShivani Bhardwaj2016-06-221-15/+0
| | | | | | | | | Remove the warning about outdated version of flex as it is not needed anymore. This check was introduced back in 2008 to skip a broken flex version that doesn't seem to be packaged by any distribution anymore. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: make libmnl and libnftnl hard requirementsGiuseppe Longo2016-04-271-0/+18
| | | | | | | | | | | Iptables building is broken if either libmnl or libnftnl is not installed on the system. Configure script actually checks if libmnl and libnftnl are installed, but doesn't exit if they are not. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: Show support for connlabelShivani Bhardwaj2016-03-221-9/+22
| | | | | | | | | | | | | | | | | | | | | Add the --disable-connlabel option and the appropriate functionality associated with it. After this patch, iptables configuration shows up as: Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no nfsynproxy util support: no nftables support: yes connlabel support: yes Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.6.0 releasePablo Neira Ayuso2015-11-111-2/+2
| | | | | | | xtables_globals structure layout has changed, so let's bump libxtables_vcurrent. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-compat: use new symbols in libnftnlPablo Neira Ayuso2015-09-161-1/+1
| | | | | | | | | Adapt this code to use the new symbols in libnftnl. This patch contains quite some renaming to reserve the nft_ prefix for our high level library. Explicitly request libnftnl 1.0.5 at configure stage. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add finer module blacklistingMike Frysinger2015-08-261-2/+18
| | | | | | | | | | | Newer extensions require libnftnl in order to build, but there are no configure or build checks for it, which leads to a bunch of modules failing when libnftnl isn't installed. Add finer grained blacklisting so we can disable modules for specific parts rather than all of them. e.g. We want to blacklist libebt_limit, but not libxt_limit. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: fix 3rd arg w/AC_ARG_ENABLEMike Frysinger2015-08-181-2/+2
| | | | | | | | The 3rd arg is used when --{enable,disable}-foo are passed in, not when the feature is enabled. Use the existing $enableval instead. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: conditional dependencies for nftables-compatPablo Neira Ayuso2014-02-041-36/+37
| | | | | | | Depend on libmnl, libnftnl, flex and bison if only if the nftables compatibility is enabled. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: rename --disable-xtables to --disable-nftablesPablo Neira Ayuso2014-02-041-1/+1
| | | | | | | | The compat utility name is xtables, the name used for the compatibility binary. Better explicitly refer to the compatibility later as nftables-compat. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* configure: fix wrong reference to the conntrack-toolsPablo Neira Ayuso2014-02-041-2/+2
| | | | | Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Use new libnftnl library name against former libnftablesTomasz Bursztyka2014-01-201-2/+2
| | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: fix compilation when lib[mnl|nftables] are not in standard pathNicolas Dichtel2013-12-301-1/+1
| | | | | | | | | | There was several problems: a typo in the configure option a typo in CFLAGS addon for libmnl and libnftables paths to lib were missing on link Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* use nf_tables and nf_tables compatibility interfacePablo Neira Ayuso2013-12-301-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the following utilities: * xtables * xtables-restore * xtables-save * xtables-config They all use Patrick's nf_tables infrastructure plus my compatibility layer. xtables, xtables-restore and xtables-save are syntax compatible with ip[6]tables, ip[6]tables-restore and ip[6]tables-save. Semantics aims to be similar, still the main exception is that there is no commit operation. Thus, we incrementally add/delete rules without entire table locking. The following options are also not yet implemented: -Z (this requires adding expr->ops->reset(...) so nft_counters can reset internal state of expressions while dumping it) -R and -E (this requires adding this feature to nf_tables) -f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0) -IPv6 support. But those are a matter of time to get them done. A new utility, xtables-config, is available to register tables and chains. By default there is a configuration file that adds backward compatible tables and chains under iptables/etc/xtables.conf. You have to call this utility first to register tables and chains. However, it would be possible to automagically register tables and chains while using xtables and xtables-restore to get similar operation than with iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.4.21 releasev1.4.21Pablo Neira Ayuso2013-11-221-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: add nfsynproxy toolPatrick McHardy2013-11-181-2/+7
| | | | | | | | | [ Originally synconf, but Jesper D. Brouer suggested to change the name to avoid a possible filename clash. I also include nfsynproxy in the final configure report --pablo ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: add software version to manpage first line at configure stagePablo Neira Ayuso2013-08-221-0/+2
| | | | | | | | | | | | This patch adds the software version to the first line of the following manpages: iptables-save.8 iptables-restore.8 iptables-apply.8 iptables-xml.1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: merge ip6table man pages into ipv4 onesFlorian Westphal2013-08-071-2/+1
| | | | | | | | | | | | | a couple of improvements to the iptables man page never made it into ip6tables version. The number of differences between these two files is so small that it seems preferable to alias the ipv6 man pages to their ipv4 counterpart and change iptables man page to specifically document differences (e.g. lack of ip6tables -f, etc). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.4.20 releasev1.4.20Pablo Neira Ayuso2013-08-061-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: fail in configure on missing dependency with --enable-bpf-compilerWillem de Bruijn2013-07-261-0/+4
| | | | | | | | | | | The build of utils/nfbpf_compile depends on libpcap. If configure is run with --enable-bpf-compiler, the script succeeds, but make fails. This small patch adds a test for the dependency (libpcap) in configure and fails hard if not found. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: additional include path required after UAPI changesPhil Oester2013-07-241-2/+2
| | | | | | | | | | | | | | After kernel commit 607ca46e (UAPI: (Scripted) Disintegrate include/linux), using the "--with-kernel" argument to build iptables stopped working due to the missing #ifdefs in the original files. We need to make sure the UAPI include dir is listed before the original location. Leaving both allows support for old and new kernels. This fixes bug #833. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_connlabel: use libnetfilter_conntrackFlorian Westphal2013-07-161-0/+12
| | | | | | | | | | | | | | | | | Pablo suggested to make it depend on lnf-conntrack, and get rid of the example config file as well. The problem is that the file must be in a fixed path, /etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file" when translating names to their bit values (and vice versa). Originally "make install" did put an example file into /etc/xtables/, but distributors complained about iptables ignoring the sysconfdir. So rather remove the example file, the man-page explains the format, and connlabels are inherently system-specific anyway. Signed-off-by: Florian Westphal <fw@strlen.de>
* configure: display summaryEric Leblond2013-06-051-2/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a message at the end of configure which displays the different compilation options and system settings. An example output is the following: Iptables Configuration: IPv4 support: yes IPv6 support: yes Devel support: yes IPQ support: no Large file support: yes BPF utils support: no Build parameters: Put plugins into executable (static): no Support plugins via dlopen (shared): yes Installation prefix (--prefix): /usr/local Xtables extension directory: /usr/local/lib/xtables Pkg-config directory: /usr/local/lib/pkgconfig Kernel build directory: /lib/modules/custom Host: x86_64-unknown-linux-gnu GCC binary: gcc Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: use autoconf to process .in man pagesAndy Spencer2013-05-291-0/+2
| | | | | | | | | | | | | This fixes a bug in iptables.8 and ip6tables.8 where @PACKAGE_VERSION@ was not processed in the VERSION section. It also simplifies the Makefile by avoiding some sed commands. [ Mangled this patch to rename iptables-extensions.8.in to iptables-extensions.8.tmpl.in to avoid having a file whose name is terminated by .in.in --pablo ] Signed-off-by: Andy Spencer <andy753421@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables 1.4.19.1 releasev1.4.19.1Pablo Neira Ayuso2013-05-291-1/+1
| | | | | | | Unfortunately, previous release was not included two patches that were applied by Florian recently. This release fixes it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.19Pablo Neira Ayuso2013-05-291-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: nfbpf_compileWillem de Bruijn2013-04-021-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | A BPF compiler to convert tcpdump expressions to the decimal format accepted by the libxt_bpf. Generate a file and pass that to iptables: nfbpf_compile RAW 'udp dst port 9000' > test.bpf iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG Or pass the output directly to iptables using backticks: iptables -A INPUT -m bpf --bytecode \ "`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG This utility depends on libpcap. The library is only compiled if the option --enable-bpf-compiler is explicitly passed to ./configure and libpcap is found. Pablo has mangled the original patch to rename the utility to nfbpf_compile. Also modified the output to match exactly what -m bpf --bytecode needs. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.18v1.4.18Pablo Neira Ayuso2013-03-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump SONAME for libxtablesJan Engelhardt2013-02-061-1/+1
| | | | | | | | | Commit v1.4.17-16-gefcdba4 updated structs in xtables.h, so age must become 0 and vcurrent be increased. The latter has already happened in v1.4.17-6-gd1e7922. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-041-2/+2
| | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.17v1.4.17Pablo Neira Ayuso2012-12-251-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump iptables to 1.4.16.3v1.4.16.3Pablo Neira Ayuso2012-10-181-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.16.2v1.4.16.2Pablo Neira Ayuso2012-10-081-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.16.1v1.4.16.1Pablo Neira Ayuso2012-10-081-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.16v1.4.16Pablo Neira Ayuso2012-10-071-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: support for target aliasesJan Engelhardt2012-09-271-2/+2
| | | | | | | | | | | This patch allows for target names listed on the command line to be rewritten to new names and revisions. As before, we will pick a revision that is supported by the kernel - now including real_name in the search. This gives us the possibility to test for many action names. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* build: separate AC variable replacements from xtables.hJan Engelhardt2012-08-311-1/+1
| | | | | | | It was/is a bit annoying that modifying xtables.h.in causes configure to rerun. Split the @foo@ things into a separate file to bypass this. Signed-off-by: Jan Engelhardt <jengelh@inai.de>
* build: support for automake-1.12Jan Engelhardt2012-08-311-0/+1
| | | | | | automake-1.12 wants that AM_PROG_AR be used when LT_INIT is. Signed-off-by: Jan Engelhardt <jengelh@inai.de>