summaryrefslogtreecommitdiffstats
path: root/extensions
Commit message (Collapse)AuthorAgeFilesLines
...
| * | extensions: libipt_icmp: add unit testPablo Neira Ayuso2013-10-071-0/+15
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_helper: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_esp: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_dccp: add unit testPablo Neira Ayuso2013-10-071-0/+30
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_NFLOG: add unit testPablo Neira Ayuso2013-10-071-0/+19
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_tos: add unit testPablo Neira Ayuso2013-10-071-0/+13
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_tcp: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_udp: add unit testPablo Neira Ayuso2013-10-071-0/+22
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_length: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_time: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_hashlimit: add unit testPablo Neira Ayuso2013-10-071-0/+26
| | | | | | | | | | | | | | | | | | based on tests/options-most.rules Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CONNMARK: add unit testPablo Neira Ayuso2013-10-071-0/+7
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connmark: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connlimit: add unit testPablo Neira Ayuso2013-10-071-0/+16
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_connbytes: add unit testPablo Neira Ayuso2013-10-071-0/+21
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CLASSIFY: add unit testPablo Neira Ayuso2013-10-071-0/+9
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_CHECKSUM: add unit testPablo Neira Ayuso2013-10-071-0/+4
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_AUDIT: add unit testPablo Neira Ayuso2013-10-071-0/+6
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_comment: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_cluster: add unit testPablo Neira Ayuso2013-10-071-0/+10
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libip6t_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libxt_addrtype: add unit testPablo Neira Ayuso2013-10-071-0/+17
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_LOG: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libip6t_ah: add unit testPablo Neira Ayuso2013-10-071-0/+14
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | extensions: libipt_ah: add unit testPablo Neira Ayuso2013-10-071-0/+12
| | | | | | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: libxt_devgroup: Fix the path of the group mappings fileAna Rey2014-09-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | Use "/etc/iproute2/group" as the default path to the mapping file instead of "/etc/iproute2/group_map". Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: libxt_connlabel: do not open config file from _init hookFlorian Westphal2014-09-051-7/+20
| |/ |/| | | | | | | | | | | | | else, static builds will print this for every iptables invocation, even 'iptables -L'. Delay open until we need to translate a mapping. Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | Merge branch 'next-3.14'Pablo Neira Ayuso2014-05-167-9/+239
|\ \
| * | iptables: add libxt_cgroup frontendDaniel Borkmann2014-01-042-0/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the user space extension/frontend for process matching based on cgroups from the kernel patch entitled "netfilter: xtables: lightweight process control group matching". Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | iptables: snat: add randomize-full supportDaniel Borkmann2014-01-043-9/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch provides the userspace part for snat in order to make randomize-full support available in {ip,nf}tables. It allows for enabling full port randomization that was motivated in [1] and introduced to the kernel in [2]. Joint work between Hannes Frederic Sowa and Daniel Borkmann. [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf [2] http://patchwork.ozlabs.org/patch/304306/ Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Daniel Borkmann <dborkman@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | iptables: Add IPv4/6 IPcomp match supportfan.du2013-12-242-0/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch enables user to set iptables ACTIONs for IPcomp flow specified by its SPI value. For example: iptables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP IPcomp packet with spi as 0x12 will be dropped. Signed-off-by: Fan Du <fan.du@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | update FSF address in license textJiri Popelka2014-03-133-3/+3
| | | | | | | | | | | | | | | | | | | | | http://www.gnu.org/licenses/gpl-2.0.html http://www.fsf.org/about/contact/ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | Merge branch 'nft-compat'Pablo Neira Ayuso2014-02-131-0/+388
|\ \ \ | | | | | | | | | | | | | | | | This merges the branch that contains the iptables over nftables compatibility layer into master.
| * | | extensions: libxt_mangle: Fixes option issuesTomasz Bursztyka2013-12-301-15/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix option IDs and remove irrelevant flags on setting options mandatory. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * | | extensions: add arptables' libxt_mangle.c for xtables-arpTomasz Bursztyka2013-12-301-0/+389
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a porting of the original mangle target in arptables. This also adapts original code so functions fits with libxtables. This is needed by the xtables-arp compatibility tool for nftables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: libxt_SYNPROXY: initial manual pageMartin Topholm2014-01-311-0/+64
| | | | | | | | | | | | | | | Signed-off-by: Martin Topholm <mph@one.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* | | extensions: libxt_set: Add missing hyphen to --bytes-eq synopsis in manpageMart Frauenlob2014-01-041-1/+1
|/ / | | | | | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Florian Westphal <fw@strlen.de>
* | Merge branch 'stable-1.4.20'Florian Westphal2013-11-231-5/+3
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ... to get 76e230e ('iptables: link against libnetfilter_conntrack'), else static build doesn't work. Conflicts: extensions/GNUmakefile.in [ CPPFLAGS was added in master, so keep it ] Reported-By: Gustavo Zacarias <gustavo@zacarias.com.ar>
| * | iptables: link against libnetfilter_conntrackJan Engelhardt2013-08-231-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linking currently fails in --enable-static case: ../extensions/libext.a(libxt_connlabel.o): In function `connlabel_get_name': iptables/extensions/libxt_connlabel.c:57: undefined reference to `nfct_labelmap_get_name' [..] It's libxtables.la(libxt_connlabel.o) using libnetfilter_conntrack. If libnetfilter_conntrack is not found, @libnetfilter_conntrack_CFLAGS@ and @libnetfilter_conntrack_LIBS@ (and their ${} ones) should be empty, therefore producing no harm to include unconditionally. Reported-and-tested-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Florian Westphal <fw@strlen.de>
* | | extensions: libxt_set, libxt_SET: check the set family tooJozsef Kadlecsik2013-11-181-4/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not accept silently sets with wrong protocol family but reject them with an error message. It makes straightforward to catch user errors. [ Use afinfo instead to avoid a binary interface update --pablo ] Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | extensions: add SYNPROXY extensionPatrick McHardy2013-11-181-0/+127
| | | | | | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | | extensions: libxt_cluster: add note on arptables-jfPablo Neira Ayuso2013-11-041-0/+5
| |/ |/| | | | | | | | | | | | | | | Gao feng reported problems while getting the cluster match working with arptables. This patch adds a note in the manpage to warn about the arptables-jf syntax, which is different from mainstream arptables. Reported-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: extensions/GNUMakefile.in use CPPFLAGSLaurence J. Lane2013-09-271-1/+1
| | | | | | | | | | | | | | | | | | | | "All other Makefiles add CPPFLAGS to ${COMPILE} (automake), but GNUmakefile.in doesn't set it." http://bugs.debian.org/665286 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: libxt_LOG: use generic syslog reference in manpageLaurence J. Lane2013-09-271-4/+2
| | | | | | | | | | | | | | | | | | | | | | Fedora, ArchLinux, Ubuntu, and Debian, at the least, use alternative syslog daemons by default these days. Let's make the syslog reference generic. Reference: http://bugs.debian.org/567564 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: libxt_string.man add examplesLaurence J. Lane2013-08-241-0/+10
| | | | | | | | | | | | | | | | Add usage examples for string and hex string patterns. References: http://bugs.debian.org/699904 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* | iptables: libxt_recent.{c,man} dead URLLaurence J. Lane2013-08-242-4/+1
| | | | | | | | | | | | | | Remove it. Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* | iptables: libip(6)t_REJECT.man default icmp typesLaurence J. Lane2013-08-222-7/+6
| | | | | | | | | | | | | | | | | | | | | | | | The extension man page shows "port-unreach" and "port-unreachable" as default icmpv6 and icomp reject-with types. Either and variations work fine for writing rules, but they are displayed as "icmp6-port-unreachable" and "icmp-port-unreachable". Let's make that consistent. http://bugs.debian.org/644819 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: libxt_conntrack.man extraneous commasLaurence J. Lane2013-08-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | The first might work. The second doesn't. (The other corrections in the bug report are already implemented.) http://bugs.debian.org/654983 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: libxt_hashlimit.man: correct addressLaurence J. Lane2013-08-221-1/+1
| | | | | | | | | | | | | | | | | | Corrects an example address with subnet mask. http://bugs.debian.org/698393 Signed-off-by: Laurence J. Lane <ljlane@debian.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | Merge branch 'stable-1.4.20'Pablo Neira Ayuso2013-08-081-0/+6
|\| | | | | | | | | | | To retrieve: iptables: state match incompatibilty across versions