summaryrefslogtreecommitdiffstats
path: root/iptables.c
Commit message (Collapse)AuthorAgeFilesLines
* [patch] Make --set-counters (-c) accept comma separated counters/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-05-131-4/+7
| | | | | | | | | | | | Here is the --set-counters syntax patch requested earlier today making --set-counters (-c) accept comma separated counts. -c packets,bytes I have not updated the manpage to reflect this alternate syntax for the --set-counters (-c) option. Henrik Nordstrom <henrik@henriknordstrom.net>
* [patch 4/4] iptables --list chain rulenum/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-05-131-15/+31
| | | | | | | | | | | | Excent --list (and --list-rules) to allow selection of a single rule number iptables --list INPUT 4 iptables --list-rules INPUT 4 list rule number 4 in INPUT. Henrik Nordstrom <henrik@henriknordstrom.net>
* [patch 3/4] iptables --list-rules command/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-05-131-15/+274
| | | | | | | | | | | | | | | | | | Adds iptables --list-rules (-S) command, acting as a combination of iptables --list and iptables-save. The primary motivation behind this patch is to get iptables-save like output capabilities in iptables-restore, allowing "iptables-restore -n" to be used as a consistent API to iptables for all kind of operations, not only blind updates.. As a bonus iptables also gets the capability of printing the rules as-is. This completely replaces the earlier patch which added the --rules option. Henrik Nordstrom <henrik@henriknordstrom.net>
* [patch 2/4] Add support for --set-counters to iptables -P/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-05-121-2/+2
| | | | | | | | Adds support for setting the policy counters iptables -P INPUT -J DROP -c 10 20 Henrik Nordstrom <henrik@henriknordstrom.net>
* [PATCH 08/10] Remove old functions, constants/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-151-19/+7
|
* [PATCH 4/8] iptables: use C99 lists for struct options/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-141-32/+32
|
* [PATCH 10/13] manpages: grammar and spelling/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-131-1/+1
|
* [PATCH 02/13] Fix all remaining warnings (missing declarations, missing ↵/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-131-3/+1
| | | | prototypes)
* [PATCH 05/24] Fix -Wshadow warnings and clean up xt_sctp.h/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-04-061-6/+6
| | | | | Note: xt_sctp.h is still not merged upstream in the kernel as of this commit. But a refactoring was really needed.
* [PATCH]: whitespace cleanup/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-01-291-13/+13
| | | | Max Kellermann <max@duempel.org>
* [PATCH]: rename overlapping function names/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-01-201-194/+4
| | | | | | Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* [PATCH]: bunch o' renames/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2008-01-201-78/+6
| | | | | | | | Move a few functions from iptables.c/ip6tables.c to xtables.c so they are available for combined (both AF_INET and AF_INET6) libxt modules. Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* - cleanup several code wraparounds/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2008-01-171-4/+21
| | | | | - check for malloc() return value in merge_opts() - check for merge_opts() return value
* [PATCH iptables] print warnings to stderr/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-10-171-3/+4
| | | | | | | | iptables prints some of its error messages and warnings to stdout. This patch applies to svn r7075 and will make iptables print diagnostic messages to stderr instead. Signed-off-by: Max Kellermann <max@duempel.org>
* Fix sscanf type errors/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-10-171-6/+5
|
* [PATCH 03/14] Delete empty ->final_check() functions/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-10-041-2/+3
| | | | | | | Deletes empty ->final_check() functions, and makes ip[6]tables checks for NULL on these. Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix more sparse warnings: non-C99 array declaration, incorrect function ↵/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-09-081-54/+54
| | | | prototypes
* Fix strict aliasing warnings/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-09-051-2/+5
|
* [PATCH]: Remove last vestiges of NFC (Peter Riley <Peter.Riley@hotpop.com>)/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-09-021-5/+4
|
* Make @msg argument a const char *, just like printf()./C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-08-011-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Makes it possible to omit extra_opts of matches/targets if unnecessary./C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-301-0/+3
| | | | | | (Jan Engelhardt <jengelh@gmx.de>) A nice side effect is that merge_option() doesn't copy options in that case.
* Moves some duplicated functions in ip[6]tables.c to xtables.c/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-106/+0
| | | | | string_to_number_ll, string_to_number_l, string_to_number, service_to_port, parse_port, parse_interface, are moved.
* Introduces xtables match/target registration/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-310/+21
| | | | | | | | | | | | | | | | | | | | | | | - moves lib_dir to xtables.c - introduces struct pfinfo which has protocol family dependent infomations. - unifies load_ip[6]tables_ko() and moves them as load_xtables_ko() - introduces xt_{match,match_rule,target,tryload} and replaces ip[6]t_* with them - unifies following functions and move them to xtables.c - find_{match,find_target} - compatible_revision, compatible_{match,target}_revision - introduces xtables_register_{match,target} and make register_{match,target}[6] call them. xtables_register_* register ONLY matches/targets matched protocol family Some concepts: - source compatibility for libip[6]t_xxx.c with warning on compilation not binary compatibility. - binary compatibility between 2.4/2.6 kernel and iptables/ip6tables, of cause. - xtables is enough to support only one address family at runtime. Then xtables keeps infomations of only the focused address famiy in struct afinfo.
* Moves ip[6]tables_insmod() to xtables.c as xtables_insmod()/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-80/+1
|
* Moves common fw_malloc() and fw_calloc() to xtables.c/C=JP/ST=JP/CN=Yasuyuki Kozakai/emailAddress=yasuyuki@netfilter.org2007-07-241-24/+1
|
* Fix "iptables getsockopt failed strangely" when querying revisions for ↵/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-06-261-1/+1
| | | | | | non-existant matches and targets Reported by Joseph Jezak <josejx@gentoo.org>.
* In fixing bug #446 [1], the output for unspecified proto was changed from ↵/C=EU/ST=EU/CN=Pablo Neira Ayuso/emailAddress=pablo@netfilter.org2007-04-301-0/+1
| | | | "all" to "0". This reverts to the original behaviour, and closes bugzilla #543. (Phil Oester)
* Fix iptables --modprobe parameter (Maurice van der Pot <griffon26@kfk4ever.com>)/C=EU/ST=EU/CN=Patrick McHardy/emailAddress=kaber@trash.net2007-04-161-1/+1
| | | | | | Supply modprobe parameter to iptables_insmod function. Bugzilla #556
* Fixes typos in the argument of ip[6]tables_insmod: quit -> quiet/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2007-03-201-4/+4
|
* Supress error message from modprobe on checking revision./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2007-03-131-8/+14
|
* Add UDPLITE multiport support/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2007-01-111-0/+1
|
* [PATCH]: Fix /etc/network usage (Pablo Neira)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-11-291-35/+34
| | | | | | | | | | | | | | | | | | | | | | http://bugs.debian.org/398082 iptables 1.3.5 and 1.3.6 appear to read /etc/networks, but the information is lost somewhere with 1.3.6. # cat /etc/networks foonet 10.0.0.0 # strace -s 255 -o /tmp/foo iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.5 [1] ACCEPT all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0 # strace -s 255 -o /tmp/bar iptables -v -A INPUT -s foonet/8 -j ACCEPT #1.3.6 [2] iptables v1.3.6: host/network `foonet.0.0.0' not found Try `iptables -h' or 'iptables --help' for more information. 1. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.5.txt 2. http://people.debian.org/~ljlane/stuff/strace-iptables-1.3.6.txt
* [PATCH] Fix -E (rename) in iptables/ip6tables/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-11-141-1/+0
| | | | | | | | | | Remove ununsed CHECK entry in commands_v_options. It makes -E (rename) working again - generic_opt_check expects options for RENAME not for CHECK at that table index. Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl> Signed-off-by: Patrick McHardy <kaber@trash.net>
* load ip_[6]tables.ko just before checking revision support in kernel./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org2006-11-131-2/+19
|
* Fix spelling error/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-10-111-1/+1
|
* Use negative-list for "weird character in interface" warning instead of ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-09-201-3/+3
| | | | warning for basically every non-alphanumeric character.
* Revert "proto_to_name duplication" patch, as noticed by Yasuyuki it can cause/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-251-2/+1
| | | | invalid arguments to get accepted.
* [PATCH] proto_to_name duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-221-1/+2
| | | | | Update multiport match to use the iptables version of proto_to_name instead of reinventing the wheel.
* [PATCH] reduce parse_*_port duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-201-0/+13
| | | | | The below patch (dependent upon my 'reduce service_to_port duplication' patch) centralizes the parse_*_port functions into parse_port.
* [PATCH] reduce service_to_port duplication (Phil Oester <kernel@linuxace.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-201-0/+11
| | | | | The service_to_port function is used in a number of places, and could benefit from some centralization instead of being duplicated everywhere.
* [PATCH] iptables: handle cidr notation more sanely (Phil Oester ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2006-07-101-0/+30
| | | | | | | | | | | | | | | | | | <kernel@linuxace.com>) At present, a command such as iptables -A foo -s 10.10/16 will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end up with 10.0.0.0/16, which likely isn't what the user intended. Yet some people do expect 10.10 (without the cidr notation) to end up as 10.0.0.10. The below patch should satisfy all parties. It zero pads the missing octets only in the cidr case, leaving the IP untouched otherwise. This resolves bug #422
* In ip[6]tables.c, NUMBER_OF_OPT was increased to 12 for the OPT_COUNTERS/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-04-211-15/+16
| | | | | | option. However, the new array element is not initialized in either commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)
* cmdflags is used in cmd2char() to return the option for a command. It uses the/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-04-211-2/+1
| | | | | | bit position of the command mask as an index in the array. There's no entry for CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the array. (Closes: #463)
* Multiple matches of the same type can be specified on the commandline./C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kadlec/emailAddress=kadlec@netfilter.org2006-03-031-7/+32
| | | | | | | | | | If two or more matches of the same type are detected then the options are assumed to be grouped in order to tell which option belongs to which match: ... -m foo ... <options0> ... -m foo ... <options1> ... Otherwise the commandline parsing is unmodified.
* Make '-p all' a special case that is handled before calling getprotoent() ↵/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-02-111-1/+7
| | | | (Closes: #446)
* fix double-free if a single match is used multiple times within a signle rule/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2006-02-111-1/+3
| | | | | | (Closes: #440). However, while this fixes the double-free, it still doesn't make iptables support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous matchinfo instances.
* Fix probing for supported revisions (Jones Desougi <jones@ingate.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org2005-12-221-4/+4
| | | | Bugzilla #413
* fix compilation of iptables on [old] systems that don't have IPT_F_GOTO/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-11-241-0/+2
|
* only set revisions on real targets, not on jumps. (Pablo Neira)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-11-171-1/+3
|
* add 'goto' support (Henrik Nordstrom <hno@marasystems.com>)/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org2005-11-051-1/+23
|