summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Merge branch 'iptables-next'"Patrick McHardy2010-05-212-214/+0
| | | | | | | This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e. Forgot to commit the version increase.
* Merge branch 'iptables-next'Patrick McHardy2010-05-202-0/+214
|\
| * Merge branch 'master' of git://dev.medozas.de/iptables into iptables-nextPatrick McHardy2010-05-132-0/+214
| |\
| | * extensions: add support for xt_TEEJan Engelhardt2010-04-192-0/+214
| | | | | | | | | | | | | | | | | | xt_TEE is firstly included in Linux 2.6.35. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | | extensions: MASQUERADE: fix --to-ports parserDmitry V. Levin2010-05-201-16/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rewrite port range validator to use xtables_strtoui() and xtables_param_act(). Original check failed to recognize such port range errors as "1a-2" and "1-2a". Also, original parser erroneously denied using port 0, which is now allowed. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | extensions: REDIRECT: fix --to-ports parserDmitry V. Levin2010-05-141-22/+18
|/ / | | | | | | | | | | | | | | | | | | | | | | Rewrite port range validator to use xtables_strtoui() and xtables_param_act(). Original check failed to recognize several types of port range errors, including: "-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc. Also, original parser erroneously denied using port 0, which is now allowed. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxt_conntrack: document --ctstate UNTRACKEDSimon Lodal2010-05-102-0/+7
| | | | | | | | | | Signed-off-by: Simon Lodal <simonl@parknet.dk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | CT: fix --ctevents parsingPablo Neira Ayuso2010-05-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the following problem: # iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured iptables v1.4.7: Unknown event type "assured" Try `iptables -h' or 'iptables --help' for more information. However, `assured' is one of the supported arguments for --ctevents. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iprange: fix xt_iprange v0 parsingVincent Bernat2010-04-211-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | iprange_parse() was incomplete and did not include parsed ranges into ipt_iprange_info structure resulting in always adding range 0.0.0.0-0.0.0.0 in the kernel. Moreover, when using --dst-range, error messages may display --src-range instead. Fix this too. Signed-off-by: Vincent Bernat <bernat@luffy.cx> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxt_CT: print conntrack zone in ->print/->savePatrick McHardy2010-04-201-0/+4
|/ | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_osf: import nfnl_osf programJan Engelhardt2010-04-061-2/+2
| | | | | | | | xt_osf is pretty useless without the actual fingerprint loader. Import nfnl_osf-2009-06-07 and make it a part of the iptables distribution. Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: add manpage for libxt_osfJan Engelhardt2010-04-062-2/+47
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_recent: add a missing space in outputJan Engelhardt2010-04-061-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: remove claim that TCPMSS is limited to mangleJan Engelhardt2010-04-061-4/+1
| | | | | | | There was no real restriction, and in fact, the kernel module never had such a limitation in the last years. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: libxt_MARK: no longer restricted to mangle tableJan Engelhardt2010-04-061-3/+4
| | | | | | | | MARK used to be limited to the mangle table, but there was no real restriction. References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_CT: add a manpageJan Engelhardt2010-03-112-1/+26
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_comment: avoid use of IPv4-specific examplesJan Engelhardt2010-03-111-1/+1
| | | | | | | | | Since libxt_comment.man is included in both iptables.8 and ip6tables.8, we should probably try to create examples that do not rely on either address family. References: http://bugs.debian.org/572628 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add CT extensionPatrick McHardy2010-03-081-0/+188
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* includes: header updatesJan Engelhardt2010-02-0110-5/+124
| | | | | | | | | | | | Update the shipped Linux kernel headers from 2.6.33-rc6, as iptables's ipt_ECN.h for example references ipt_DSCP.h, which no longer exists. Since a number of old code pieces have been removed in the kernel in that fashion, the structs for older versions are moved into the .c file, to keep header updating simple. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: fix error message showing wrong optionJan Engelhardt2010-01-311-1/+1
|
* doc: mention requirement of additional packages for ipsetJan Engelhardt2010-01-192-0/+8
| | | | | References: https://bugzilla.novell.com/561177 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix limit manpage to reflect actual supported syntaxJan Engelhardt2010-01-191-1/+1
| | | | | References: https://bugzilla.novell.com/561179 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix recent manpage to reflect actual supported syntaxJan Engelhardt2010-01-191-2/+5
| | | | | References: https://bugzilla.novell.com/561180 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* recent: reorder cases in code (cosmetic cleanup)Jan Engelhardt2010-01-191-8/+8
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2009-11-241-1/+3
|\
| * doc: explain experienced --hitcount limitJan Engelhardt2009-11-171-1/+3
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | conntrack: fix --expires parsingPatrick McHardy2009-11-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | Using ranges in --ctexpire results in a parsing error: conntrack: Bad value for "--expires" option: "1:1000" The first value is parsed twice, after which the end pointer doesn't point to the expected '\0' but to the colon. Signed-off-by: Patrick McHardy <kaber@trash.net>
* | extensions: add osf extensionPatrick McHardy2009-11-121-0/+155
|/ | | | | | From Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Patrick McHardy <kaber@trash.net>
* DNAT: fix incorrect check during parsingPatrick McHardy2009-11-061-1/+1
| | | | | | | | | | Specifying --random before --to-dest results in: Multiple --to-destination not supported Fix the flags check to only test the IPT_DNAT_OPT_DEST bit. Signed-off-by: Patrick McHardy <kaber@trash.net>
* CONNMARK: print mark rules with mask 0xffffffff as set instead of xsetJan Engelhardt2009-11-041-0/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* MARK: print mark rules with mask 0xffffffff as --set-mark instead of --set-xmarkPatrick McHardy2009-11-041-0/+2
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables/extensions: make bundled options work againJan Engelhardt2009-11-0337-95/+95
| | | | | | | | | | | | | When using a bundled option like "-ptcp", 'argv[optind-1]' would logically point to "-ptcp", but this is obviously not right. 'optarg' is needed instead, which if properly offset to "tcp". Not all places change optind-based access to optarg; where look-ahead is needed, such as for tcp's --tcp-flags option for example, optind is ok. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-0360-128/+128
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iprange: roll address parsing into a loopJan Engelhardt2009-10-251-20/+16
|
* iprange: warn on reverse rangeJan Engelhardt2009-10-251-22/+29
|
* iprange: do accept non-ranges for xt_iprange v1Jan Engelhardt2009-10-251-72/+47
| | | | [fill in details]
* realm: remove static initializationsJan Engelhardt2009-10-251-3/+2
| | | | | | Save a little disk space, they are initialized to zero anyway. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: update TCPMSS manpage with Linux 2.6.25 changesTim Small2009-10-251-1/+9
| | | | | | | | References: http://bugs.debian.org/551272 [j.eng: modified --set-mss option description to be understandable] Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix typo in length manpagesobtwmxt2009-10-251-1/+1
| | | | | References: http://bugs.debian.org/551867 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: mention maximum mark size in manpagesJan Engelhardt2009-10-253-3/+5
|
* man: fix incorrect plural in libipt_set.manPatrick McHardy2009-08-241-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: more fixes to minuses, hyphens, dashesJan Engelhardt2009-08-202-2/+2
| | | | | | | | | | | | | | | | Debian still carries patches patches to the iptables nroff code touching ASCII minuses, so I thought, what's it this time. Eventually, this patch tries to straighten things once more, per http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes . Titles will get the em dash; all typed commands or parameters with a hyphen get a minus (so that man(1) hyperlinking and copy-pasting does work), but other mentions get the hyphen. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpage: fix lintian warningsLaurence J. Lane2009-08-201-1/+1
| | | | | | | | | | | Description: extraneous slash caused this lintian warning: W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz 220: cannot use newline as a starting delimiter W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz 1823: warning: `precedence'' not defined Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* ipt_set: fix a typo in the manpageTrent W. Buck2009-08-201-1/+1
| | | | | | References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_NFQUEUE: add new v1 version with queue-balance optionFlorian Westphal2009-08-202-10/+124
| | | | | | | | | | | | | | | | New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable'Jan Engelhardt2009-08-052-22/+139
|\ | | | | | | | | | | | | Conflicts: extensions/libxt_conntrack.c Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_helper: fix invalid passed option to check_inverseJan Engelhardt2009-06-251-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-251-27/+148
| | | | | | | | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: combine iptables-multi and iptables-staticJan Engelhardt2009-07-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changed the Makefile so that: 1. --enable-shared / --disable-shared control the linkage against libdl (and thus the potential to use 3rd party extensions) 2. --enable-static / --disable-static controls whether shipped extensions are built-in or provided as modules iptables-static becomes redundant by this action; iptables-multi now has the feature. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: collapse data variables to use multi-reg callsJan Engelhardt2009-06-2615-566/+552
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>