diff options
-rw-r--r-- | extensions/libxt_recent.man | 4 | ||||
-rw-r--r-- | ip6tables.8.in | 10 | ||||
-rw-r--r-- | ip6tables.c | 10 | ||||
-rw-r--r-- | iptables.8.in | 8 | ||||
-rw-r--r-- | iptables.c | 10 |
5 files changed, 26 insertions, 16 deletions
diff --git a/extensions/libxt_recent.man b/extensions/libxt_recent.man index 9d5a64ee..aa138df3 100644 --- a/extensions/libxt_recent.man +++ b/extensions/libxt_recent.man @@ -44,7 +44,9 @@ This option must be used in conjunction with one of \fB\-\-rcheck\fP or address is in the list and packets had been received greater than or equal to the given value. This option may be used along with \fB\-\-seconds\fP to create an even narrower match requiring a certain number of hits within a specific -time frame. +time frame. The maximum value for the hitcount parameter is given by the +"ip_pkt_list_tot" parameter of the xt_recent kernel module. Exceeding this +value on the command line will cause the rule to be rejected. .TP \fB\-\-rttl\fP This option may only be used in conjunction with one of \fB\-\-rcheck\fP or diff --git a/ip6tables.8.in b/ip6tables.8.in index 66d8543c..56881331 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -240,10 +240,12 @@ option is omitted. .TP [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP] Source specification. -\fIAddress\fP can be either a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IPv6 address (with \fB/\fP\fImask\fP), or a plain IPv6 address. -(the network name isn't supported now). +\fIAddress\fP can be either be a hostname, +a network IP address (with \fB/\fP\fImask\fP), or a plain IP address. +Names will be resolved once only, before the rule is submitted to the kernel. +Please note that specifying any name to be resolved with a remote query such as +DNS is a really bad idea. +(Resolving network names is not supported at this time.) The \fImask\fP is a plain number, specifying the number of 1's at the left side of the network mask. A "!" argument before the address specification inverts the sense of diff --git a/ip6tables.c b/ip6tables.c index f6daa51c..e2359dfe 100644 --- a/ip6tables.c +++ b/ip6tables.c @@ -758,13 +758,15 @@ static int replace_entry(const ip6t_chainlabel chain, struct ip6t_entry *fw, unsigned int rulenum, - const struct in6_addr *saddr, - const struct in6_addr *daddr, + const struct in6_addr *saddr, const struct in6_addr *smask, + const struct in6_addr *daddr, const struct in6_addr *dmask, int verbose, struct ip6tc_handle *handle) { fw->ipv6.src = *saddr; fw->ipv6.dst = *daddr; + fw->ipv6.smsk = *smask; + fw->ipv6.dmsk = *dmask; if (verbose) print_firewall_line(fw, handle); @@ -1947,8 +1949,8 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand break; case CMD_REPLACE: ret = replace_entry(chain, e, rulenum - 1, - saddrs, daddrs, options&OPT_VERBOSE, - *handle); + saddrs, smasks, daddrs, dmasks, + options&OPT_VERBOSE, *handle); break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, diff --git a/iptables.8.in b/iptables.8.in index 928f46a9..d29deb2e 100644 --- a/iptables.8.in +++ b/iptables.8.in @@ -239,9 +239,11 @@ option is omitted. .TP [\fB!\fP] \fB\-s\fP, \fB\-\-source\fP \fIaddress\fP[\fB/\fP\fImask\fP][\fB,\fP\fI...\fP] Source specification. \fIAddress\fP -can be either a network name, a hostname (please note that specifying -any name to be resolved with a remote query such as DNS is a really bad idea), -a network IP address (with \fB/\fP\fImask\fP), or a plain IP address. +can be either a network name, a hostname, a network IP address (with +\fB/\fP\fImask\fP), or a plain IP address. Hostnames will +be resolved once only, before the rule is submitted to the kernel. +Please note that specifying any name to be resolved with a remote query such as +DNS is a really bad idea. The \fImask\fP can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. @@ -760,13 +760,15 @@ static int replace_entry(const ipt_chainlabel chain, struct ipt_entry *fw, unsigned int rulenum, - const struct in_addr *saddr, - const struct in_addr *daddr, + const struct in_addr *saddr, const struct in_addr *smask, + const struct in_addr *daddr, const struct in_addr *dmask, int verbose, struct iptc_handle *handle) { fw->ip.src.s_addr = saddr->s_addr; fw->ip.dst.s_addr = daddr->s_addr; + fw->ip.smsk.s_addr = smask->s_addr; + fw->ip.dmsk.s_addr = dmask->s_addr; if (verbose) print_firewall_line(fw, handle); @@ -1988,8 +1990,8 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle break; case CMD_REPLACE: ret = replace_entry(chain, e, rulenum - 1, - saddrs, daddrs, options&OPT_VERBOSE, - *handle); + saddrs, smasks, daddrs, dmasks, + options&OPT_VERBOSE, *handle); break; case CMD_INSERT: ret = insert_entry(chain, e, rulenum - 1, |