| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
iptables.h and ip6tables.h only include declarations internal to
iptables (specifically iptables.c and ip6tables.c), as most of the
public API has been moved to xtables.h a few months ago.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds better error reporting when the user inserts a space
between two states with the --state option.
iptables -I INPUT -m state ESTABLISHED, RELATED
^
mind the space
results in:
iptables v1.4.2-rc1: Bad state `'
Try `iptables -h' or 'iptables --help' for more information.
Now this returns:
iptables v1.4.2-rc1: `--state' requires a list of states with no
spaces, e.g. ESTABLISHED,RELATED
This patch also applies to libxt_conntrack which has a copy of the
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Resync netfilter.h from the latest kernel and make use of the new
NFPROTO_ constants that have been introduced.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Sent in as part of a larger private mail by Gáspár Lajos
<swifty@freemail.hu>; I cherry-picked the ctdir part.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Reference: http://bugs.debian.org/502548
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
libxt_dccp.c: In function 'port_to_service':
libxt_dccp.c:196: warning: implicit declaration of function 'htons'
libxt_sctp.c: In function 'port_to_service':
libxt_sctp.c:321: warning: implicit declaration of function 'htons'
libxt_tcp.c: In function 'port_to_service':
libxt_tcp.c:220: warning: implicit declaration of function 'htons'
libxt_udp.c: In function 'port_to_service':
libxt_udp.c:104: warning: implicit declaration of function 'htons'
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In file included from libxt_iprange.c:9:
../include/linux/netfilter.h:43: error: field 'in' has incomplete type
../include/linux/netfilter.h:44: error: field 'in6' has incomplete type
libxt_iprange.c: In function 'parse_iprange':
libxt_iprange.c:46: error: dereferencing pointer to incomplete type
libxt_iprange.c:53: error: dereferencing pointer to incomplete type
libxt_iprange.c: In function 'iprange_mt4_parse':
libxt_iprange.c:117: error: dereferencing pointer to incomplete type
libxt_iprange.c:121: error: dereferencing pointer to incomplete type
libxt_iprange.c:136: error: dereferencing pointer to incomplete type
libxt_iprange.c:140: error: dereferencing pointer to incomplete type
libxt_iprange.c: In function 'iprange_mt6_parse':
libxt_iprange.c:167: error: dereferencing pointer to incomplete type
libxt_iprange.c:171: error: dereferencing pointer to incomplete type
libxt_iprange.c:186: error: dereferencing pointer to incomplete type
libxt_iprange.c:190: error: dereferencing pointer to incomplete type
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fix compilation error caused by double definition of IPPROTO_SCTP:
In file included from /usr/include/netinet/ip.h:25,
from /usr/include/linux/ip.h:19,
from tos_values.c:4,
from libxt_TOS.c:15:
/usr/include/netinet/in.h:84: error: expected identifier before numeric constant
make[2]: *** [libxt_TOS.oo] Error 1
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Add user-space code for the socket match.
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
When a neg mark is saved via iptables-save it is saved as !--mark,
but this is not recognized by iptables-restore, just adding a
space to the saved file to make it look like "! --mark" makes
iptables-restore accept the file.
Signed-off-by: Pablo Sebastian Greco <pablo@fliagreco.com.ar>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
|
| |
Signed-off-by: WANG Cong <wangcong@zeuux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Latest git doesn't compile for me on Fedora 9 due to various *MAX constants
being undefined. Below adds the include in 3 files which need it (although
I can't see why this isn't required in 1.4.1.1).
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Tony Ho noticed a too-strict check in xt_recent, so here is a fix.
Reported-by: Tony Ho <iptables@iblink.com.cn>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
A number of comments are redundant, some outdated and others outright
wrong in their own way. Remove and fixup.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
iptables ships with all header files and prioritized its own include
directory over /usr/include/linux, so just use the normal brackets.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
There is no --src-ip, just --src-range. (Same for --dst-range.)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
initext?.c is generated within the current directory, not in ${srcdir}.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Just a cosmetic fix for `iptables -S` and `iptables-save` printing
two spaces between arguments in the physdev match.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Text paragraphs should use .PP, since .TP makes it a list item with
indented description.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As pointed out by Vyacheslav Garashchenko, iptables-save does not
save negated dscp matches properly. Fix below.
This closes bugzilla #533.
Phil
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In bugzilla 550, Xeb notes that the --hashlimit-htable-gcinterval
argument is saved incorrectly. Patch below corrects.
Patch-from: Xeb <xeb@mail.ru>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reported-by: Erich Schubert <erich@debian.org>
Reference: Debian bug #346034
"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
xtables.h does not need really need libxtc.h, and we can drop it from
the install as it is internal-only.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Only when a 'stop' pointer is passed, the string may consist of more
than just a number.
Reported-by: Anonymous
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
The --src-range and --dst-range parameters did not set the IPRANGE_*
flags in struct xt_iprange_mtinfo.
Reported-by: Maxim Britov <maxim.britov@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
When --disable-shared is used, there are no .so files to install, and
the argument order for install would get messed up.
Reported-by: Michael Teicher <mteicher@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
A number of options support negation, but the manpage did not reflect
this ("[!]" was absent). Also fix a few [] (optional arguments) to {}
(required arguments) in the option-BNF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
It could happen that --<arg><value> was printed on iptables-save with
owner rules (owner_mt_save() function) without the obligatory space
inbetween. Also transfer printing of the space character into
owner_mt_print_item().
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In revision 1 address type checking can be limited to either the
incoming or outgoing interface depending on the current chain. In
the FORWARD chain only one of them is allowed at the same time.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
The _save functions need to use the same syntax that is used for parsing
the input instead of "user readable" output.
|
| |
|
|
|
|
|
|
|
|
| |
linux/dccp.h is unlikely to be installed before 2.6.18 (which was
when headers_install was introduced), and does not exist at all
before 2.6.14. Add a compile-time check to skip compilation of
libxt_dccp in case this was detected.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
In the manpages, bold is used to denote characters the user has to
enter verbatim, italic denotes placeholders and non-highlighted
pieces are used as a structure: "[]" specifying an optional part,
"{}" a mandatory part, with "|" used for alternations. The "!" for
negation is better supported before the option than after it, too.
The patch makes a few files consistent with this style already used
in manpages.
|
| |
|
|
|
|
| |
Fixes Bugzilla 482.
Signed-off-by: Kristof Provost <kristof@sigsegv.be>
|
| |
|
|
|
|
|
|
| |
The new iptables git version assumes /bin/sh is always GNU bash,
that's not the case (Ubuntu 8.04 uses dash), see attachment
for a fix.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
