| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Performance optimize scalability issue:
Sorting chain during pull-out give worst-case runtime O(Chains2).
When pulling out the blob, every chain name is inserted alphabetically
into a linked list (by function iptc_insert_chain()). The problem
with this approach is that the chain names delivered in the blob is
already sorted (as we push it back to the kernel sorted).
This cause chain parsing to always process every element in the chain
list and finish with a tail add. Causing worst-case runtime O(C2/2)
for alphabetically sorting of chains.
The patch solves this by only calling iptc_insert_chain() when
creating new chains.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables prints the mask as a prefix length if it is valid;
This patch makes iptables-save do the same.
Also, iptables-save will always print "/32" in the "-s addr/32"
case now. This reduces the amount of code external parsing scripts
need to provide to properly parse iptables-save output.
ip6tables-save already does the right thing, so no change there.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
| |
Rename libipt_{time,u32}.man to libxt_{time,u32}.man to go
in line with the C files.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
| |
Fix a typo in call to check_inverse().
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
which has existed since SVN changeset 6920. This patch adds ip_tables.h
and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.
Changeset 6920 added the include file x_tables.h from kernel source, but
didn't add ip_tables.h and ip6_tables.h.
At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
kernel headers where changed, which actually removes certain
depencencies from ip_tables.h and ip6_tables.h to x_tables.h.
If compiling will fail, with old kernel headers (ip_tables.h and
ip6_tables.h) available in systems include path, because they depend on
certaine defines in x_tables.h with is missing in the version in SVN.
Jesper Brouer <jdb@comx.dk>
|
|
|
|
|
|
|
| |
The --random option produces "Unknown arg `--random'" errors with both the
DNAT and REDIRECT targets. Corrected by the attached patch.
Tom Eastep <teastep@shorewall.net>
|
|
|
|
| |
<stefano.sabatini-lala@poste.it>)
|
|
|
|
|
|
| |
adds --table to iptables-restore which allows to restore only the supplied table
Signed-off-by: Peter Warasin <peter@endian.com>
|
|
|
|
|
|
|
| |
Sorry forgot to mention that the "ip6tables-multi.c" (in the patch) which is
not in the repository has to be manually added.
Hann-huei Chiou <koala@ascenvision.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The iptables.8 and ip6tables.8 man pages are now generated from libxt_*.man
files too. For xtables modules one man page is enough with libxt_ prefix.
The match and target lists are sorted alphabetically.
The make command doesn't print anything when creates man pages.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
|
|
|
|
|
|
|
|
| |
When defining DO_MULTI=1 in Makefile, only iptables is built as
a single multipurpose binary. This patch makes ip6tables also be
built in the same manner.
Hann-huei Chiou <koala@ascenvision.com>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
| |
Victor Stinner <victor.stinner@inl.fr>
|
|
|
|
|
|
|
|
| |
According to Jan:
While the fields of struct xt_time are uints, the defined
time_t span is by definition 0..231-1, i.e. it should be
INT_MAX, not UINT_MAX.
|
|
|
|
| |
instead of LONG_MAX
|
|
|
|
|
|
|
| |
Macros like SCTP_CHUNKMAP_XXX(chukmap) require chukmap to be an array,
but print_chunks() passes a pointer to these macros.
Li Zefan <lizf@cn.fujitsu.com>
|
|
|
|
|
|
|
|
| |
iptables prints some of its error messages and warnings to stdout.
This patch applies to svn r7075 and will make iptables print
diagnostic messages to stderr instead.
Signed-off-by: Max Kellermann <max@duempel.org>
|
| |
|
| |
|
|
|
|
| |
warnings
|
| |
|
|
|
|
|
|
|
|
| |
In extensions/Makefile the variable PFX_EXT_SLIB_OPTS is not appended to
OPTIONALS, therefor 'make print-extensions' doesn't show any optional
libxt_* extension.
Sebastian Claßen <sebastian.classen@freenet.ag>
|
|
|
|
|
|
|
| |
Removing '&' from .._match and ..._target variables.
Give all symbols unique names.
Signed-off-by: Laszlo Attila Toth
|
|
|
|
|
|
|
| |
Remove hbh stuff from libip6t_dst,
remove dst stuff from libip6t_hbh.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt targets unique names (3/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt matches unique names (3/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt targets unique names (2/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt matches unique names (2/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt targets unique names (1/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Give symbols of libxt matches unique names (1/3).
Adds unique prefixes to all functions (most of them - especially the hook
functions) so that debugging programs can unambiguously map a symbol to an
address. Also unifies the names of the xtables_match/xtables_target structs,
(based upon libxt_connmark.c/libip6t_*.c).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
| |
Cease using ipt_entry_match (replaced by xt_entry_match).
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
| |
Constify more data structures. Make functions static.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
Deletes empty ->print() and ->save() functions.
ip[6]tables prints the trivial thing automatically.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
Deletes empty ->final_check() functions, and makes ip[6]tables
checks for NULL on these.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
Deletes empty ->init() functions. ip[6]tables already
checks for .init being NULL or not.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
Mixing member accessors (non-named vs named) is not good.
Remove stray NULL.
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
|
|
|
|
|
|
| |
The function names in libipt_addrtype.c makes debugging hard, also I renamed them
prefixed by 'addrtype_'.
Laszlo attila toth <panther@balabit.hu>
|
|
|
|
|
|
|
|
|
|
| |
iptables (up to 0927 snapshot) keeps complaining of "Couldn't
load (or find, if NO_SHARED_LIBS=1) match `u32'. After comparing
with other libxt_*.c, I found that there's no member ".family"
in the "u32_reg" structure, while ".family = AF_INET6" exists
in "u32_reg6"
Hann-Huei Chiou <koala@ascenvision.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This is libipt_time from POM-ng enhanced by the following:
* day-of-month support (for example "match on the 15th of each month")
* inversion support for --weekdays and --monthdays
* match against UTC or local timezone
* a manpage
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
|
|
|
| |
warning: format '%ld' expects type 'long int', but argument 3 has type 'int'.
With %u alone, you would get "but arg-start is long" warnings on x64.
With %lu, you would get "but arg-start is int" on x86.
Fix it up by explicitly deciding for one (%u and cast to unsigned int)
and using that.
Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
|
| |
|
|
|
|
| |
prototypes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
<panther@balabit.hu>)
* no extra target/match by default :)
* man page of fix modules (PF_EXT_SLIB etc.) plus optional
(...SLIB_OPTS) modules generated, but not all.
* because of the previous one I had to rename PF_EXT_SE_SLIB to
PF_EXT_SELINUX_SLIB etc. as a non-optional variable, original
PF_EXT_SE_SLIB gets the value of PF_EXT_SELINUX_SLIB if DO_SELINUX is
set to 1.
|
| |
|
| |
|
|
|
|
| |
Fixes compiler warning in quota match.
|
| |
|