| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Resolve the (justified) WTF remark to a clearer version of when/why
PROTO_RANDOM needs to be set.
Especially when --random is used before --to in SAME, it would have
not been appleid.
|
|
|
|
|
|
|
|
|
|
|
| |
iptables-restore v1.4.10: DNAT: Multiple --to-destination not supported
xtables_option_parse sets cb->xflags already, so that it cannot be
directly used to test whether an option is being used for the second
time. Thus use a private option/flag (X_TO_DEST/SRC) that is not under
the control of xtables_option_parse.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
With "!flags", any option will be accepted. The extensions however
want one very specific option to be used (or wrong help text).
Commits: DNAT: v1.3.8~23, osf: v1.4.6~3
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to the use of printf("foobar "), iptables emits spaces at the
end-of-line, which looks odd to some users because it causes the
terminal to wrap even if there is seemingly nothing to print.
It may also have other points of annoyance, such as mailers
interpreting a trailing space as an indicator that the paragraph
continues when format=flowed is also on.
And git highlights trailing spaces in red, so let's avoid :)
Preexisting inconsistencies in outputting spaces in the right
spot are also addressed right away.
References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Match and target parse functions now only get option characters they
have defined themselves.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Try to inhibit copypasting old stuff.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
Specifying --random before --to-dest results in:
Multiple --to-destination not supported
Fix the flags check to only test the IPT_DNAT_OPT_DEST bit.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Add support for persistent mappings (2.6.29-rc2+) as replacement for the
removed SAME target.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Thanks to Stephen Hemminger for noticing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Most touched files do not use anything from ip_tables.h, so
remove that #include. multiport instead, does need it (ipt_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
This also adds a warning that intrapositional negation support
is deprecated.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
iptables.h and ip6tables.h only include declarations internal to
iptables (specifically iptables.c and ip6tables.c), as most of the
public API has been moved to xtables.h a few months ago.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
Resync netfilter.h from the latest kernel and make use of the new
NFPROTO_ constants that have been introduced.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Max Kellermann <max@duempel.org>
|
|
|
|
|
|
| |
Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
| |
Move a few functions from iptables.c/ip6tables.c to xtables.c
so they are available for combined (both AF_INET and AF_INET6)
libxt modules. Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
| |
The --random option produces "Unknown arg `--random'" errors with both the
DNAT and REDIRECT targets. Corrected by the attached patch.
Tom Eastep <teastep@shorewall.net>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt targets unique names (2/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
I've kept .print=NULL and .save=NULL so it stands out
(since iptables will do the print/save then).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
| |
This changes the type of arguments as follows in multiport, DNAT, SNAT,
MASQUERADE, and REDIRECT
- ip[6]t_ip[6] * -> void *
- ip[6]t_entry * -> void *
and adds lines to cast these pointer with intended type.
|
| |
|
|
|
|
| |
this option left behind.
|
|
|
|
| |
versions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DNAT and SNAT targets. At present, the error is somewhat vague:
# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables: Invalid argument
But if we want current iptables to work with kernels <= 2.6.10, we
cannot simply disallow this in all cases.
So the below patch adds kernel version checking to iptables, and
utilizes it in [DS]NAT. Now, users will see a more informative error:
# iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5
iptables v1.3.3: Multiple --to-source not supported
This generic infrastructure (shamelessly lifted from procps btw) may
come in handy in the future for other changes.
This fixes bugzilla #367. (Phil Oester)
|
| |
|
|
|
|
| |
(Yasuyuki Kozakai)
|
|
|
|
| |
Fixes build with conntrack event patch for 2.6
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
syntax on DNAT/SNAT:
--to x.x.x.x:y:z
but doesn't actually make use of the second port. Clear up the confusion
by only accepting a dash between the ports.
This closes bugzilla #265.
Signed-off-by: Phil Oester <kernel@linuxace.com>
|
|
|
|
| |
(I removed the revision stuff for the moment, but this needs to go in before the code moves too much --RR)
|
|
|
|
| |
naming
|
| |
|
|
|
|
| |
- iptables-save/-restore is no longer experimental
|
|
|
|
| |
(PPC fix).
|
| |
|