summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* set match negation bug fixedJoszef Kadlecsik2006-06-232-3/+3
|
* REDIRECT does not accept IP (Phil Oester <kernel@linuxace.com>)Phil Oester2006-06-201-0/+3
| | | | | | As pointed out by Nicolas Mailhot in bugzilla #483, REDIRECT does not accept an IP address and when supplied with one, provides unexpected results. Patch below fixes this.
* trivial connlimit manpage fix (Phil Oester <kernel@linuxace.com>)Phil Oester2006-05-291-2/+2
|
* Use lowercase letters for match name (Simon Lodal <simonl@parknet.dk>)Simon Lodal2006-05-241-4/+4
|
* Add information about :<port> syntax (Evan Miller <evanm@frap.net>)Evan Miller2006-05-241-2/+3
|
* secmark: Add libip6t_CONNSECMARKJames Morris2006-05-243-1/+140
| | | | | | | This patch adds the shared library module for the CONNSECMARK target (IPv6). Signed-off-by: James Morris <jmorris@namei.org>
* D'oh .. I'm not too smart, forgot to add the new files in the previous ↵Patrick McHardy2006-05-246-0/+405
| | | | patches :)
* secmark: Add libipt_CONNSECMARKJames Morris2006-05-241-1/+1
| | | | | | | This patch adds the shared library module for the CONNSECMARK target (IPv4). Signed-off-by: James Morris <jmorris@namei.org>
* secmark: Add libip6t_SECMARKJames Morris2006-05-241-1/+1
| | | | | | This patch adds the shared library module for the SECMARK target (IPv6). Signed-off-by: James Morris <jmorris@namei.org>
* secmark: Add libipt_SECMARKJames Morris2006-05-241-1/+1
| | | | | | This patch adds the shared library module for the SECMARK target (IPv4). Signed-off-by: James Morris <jmorris@namei.org>
* secmark: Add libselinux supportJames Morris2006-05-241-1/+14
| | | | | | | | | This patch adds the infrastructure for linking iptables against libselinux, for use with the SECMARK target. This is enabled by setting DO_SELINUX=1 in the build environment. Signed-off-by: James Morris <jmorris@namei.org>
* Add DCCP/SCTP support to multiport. Patch for kernel will go in 2.6.18.Patrick McHardy2006-04-282-16/+48
|
* [IPTABLES,IP6TABLES]: check invalid esp spi rangeYasuyuki KOZAKAI2006-04-152-0/+6
|
* fix loading shared library of ICMPv6 match.Yasuyuki KOZAKAI2006-04-153-1/+1
| | | | | | | | | | | | | The current ip6tables tries to load libip6t_icmp6.so when user types 'ip6tables -p icmpv6 ...' or 'ip6tables ... -m icmpv6' ...', and it fails. This patch renames libip6t_icmpv6.c to libip6t_icmp6.c so that ip6tables can load it. Now kernel module and user library has same name 'icmp6'. It can reduce confusion about name mismatch. That's why I renamed it instead of reverting change in find_match() which brought this bug. This patch keeps compatibiity and we can use '-p icmpv6', '-p ipv6-icmpv6', '-m icmpv6', '-m ipv6-icmpv6', and '-m icmp6', as ever.
* [IPTABLES,IP6TABLES]: fix the path to detect esp/connbytes support in kernelHarald Welte2006-04-122-2/+2
| | | | The recent kernels don't have ipt_connbytes.c and ip6t_esp.c.
* Correct iptables-save output of osf module (Daniel De Graaf)Daniel De Graaf2006-03-311-0/+8
|
* make policy match compile independant of kernel headersv1.3.5Harald Welte2006-02-012-2/+2
|
* Some !%$!*##$@ has modified the kernel include/linux/netfilter_ipv4/ipt_sctp.hHarald Welte2006-02-011-0/+13
| | | | file in a way that breaks userspace :(
* remove other bits of old ip pool code, people should use ipset ↵Harald Welte2006-02-013-295/+0
| | | | (ipset.netfilter.org) these days
* Prepare policy match for x_tables unification by making sure bothPatrick McHardy2006-01-315-16/+10
| | | | ipt_policy and ip6t_policy use the same data structure.
* fix 'save' (Michael Rash)Michael Rash2006-01-301-2/+2
|
* major manpage update (Yasuyuki Kozakai)Yasuyuki KOZAKAI2006-01-3026-84/+128
|
* Add 'copy+paste' support for 'state' and 'connmark' match, as well asHarald Welte2006-01-264-1/+535
| | | | 'CONNMARK' target for ip6tables / nf_conntrack_l3proto_ipv6. This is a temporary solution for the iptables-1.3.x branch, since the 1.4.x branch will have proper support.
* add note about deprecated stateHarald Welte2006-01-261-0/+2
|
* fix spelling 'adress' -> 'address' (Closes: #431) (MJ Anthony)Harald Welte2006-01-222-2/+2
|
* Fix "empty policy element" complaining in non-strict mode.Noticed by Tom Eastep2006-01-222-2/+4
| | | | Noticed by Tom Eastep <teastep@shorewall.net>.
* Clarify --tunnel-src/--tunnel-dst optionsPatrick McHardy2006-01-122-6/+10
|
* Move empty policy element check to also catch last elementPatrick McHardy2006-01-122-10/+12
|
* Don't allow using --next option without specifying a policy elementPatrick McHardy2006-01-122-4/+14
|
* Fix invalid assignment of tunnel-src to dest address (Patrick McHardy)Patrick McHardy2006-01-091-2/+2
|
* Add documentation for string match (Pablo Neira)Pablo Neira2006-01-031-0/+15
|
* fix iptables-save of 'goto' target (Closes: #410)Harald Welte2005-12-051-2/+2
|
* Add note that TCPMSS is only valid in the mangle table (not true today, but ↵Patrick McHardy2005-12-051-1/+4
| | | | maybe someday)
* tcp-rst is the alias, not tcp-reset (Torsten Hilbrich)Harald Welte2005-11-221-1/+1
|
* Add policy match extensions from patch-o-maticPatrick McHardy2005-11-196-0/+998
|
* Fix some gcc-4 warningsPatrick McHardy2005-11-184-7/+7
|
* Don't eat numeric arguments for other extensionsPatrick McHardy2005-11-181-4/+12
|
* The conntrack match does not print any info for --ctproto, thusPhil Oester2005-11-171-0/+7
| | | | | breaking iptables-restore of any rules using this option. Below patch adds output and closes bug #398. (Phil Oester)
* fix connmark, it's now only 32bits (Deti Fliegl <deti@fliegl.de)v1.3.4Deti Fliegl2005-11-032-53/+10
| | | | | | We'ver screwed this up with the 2.6.14 release. It refuses any mask that extends 32bits. We should have fixed this by adding a new target/match revision, but now it's too late anyway :(
* The conntrack match extension doesn't handle address inversion correctly. ↵Tom Eastep2005-09-191-2/+2
| | | | (Tom Eastep)
* Kernels higher than 2.6.10 don't support multiple --to arguments inPhil Oester2005-09-192-0/+14
| | | | | | | | | | | | | | | | | | | | | DNAT and SNAT targets. At present, the error is somewhat vague: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables: Invalid argument But if we want current iptables to work with kernels <= 2.6.10, we cannot simply disallow this in all cases. So the below patch adds kernel version checking to iptables, and utilizes it in [DS]NAT. Now, users will see a more informative error: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables v1.3.3: Multiple --to-source not supported This generic infrastructure (shamelessly lifted from procps btw) may come in handy in the future for other changes. This fixes bugzilla #367. (Phil Oester)
* * specifying random seed for the Jenkins hash works as documentedKOVACS Krisztian2005-09-191-28/+37
| | | | | | | * iptables-save seems to work now Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Harald Welte <laforge@netfilter.org>
* Make libipt_connbytes.c compile with the ipt_connbytes version that has been ↵Martin Josefsson2005-09-111-6/+6
| | | | merged into the 2.6 kernel
* Update manpage to reflect missing ability to SNAT to multiple ranges in ↵Harald Welte2005-08-291-4/+6
| | | | 2.6.11-rc1 and later
* Update manpage to reflect missing NAT to multiple ranges support in ↵Harald Welte2005-08-291-4/+7
| | | | 2.6.11-rc1 and later.
* update string match to reflect new kernel implementation (Pablo Neira)Pablo Neira2005-08-281-40/+110
|
* add support for new 'dccp' protocol matchHarald Welte2005-08-063-0/+414
|
* port Eric Leblond's NFQUEUE missing-break fix to ip6tablesHarald Welte2005-08-052-0/+4
|
* Add missing 'break' to make parsing of NFQUEUE numbers work (Eric Leblond)Eric Leblond2005-08-052-0/+4
|
* update manpage to reflect QUEUE / nfnetlink_queue / NFQUEUE changesHarald Welte2005-07-282-0/+18
|