diff options
Diffstat (limited to 'extensions')
| -rw-r--r-- | extensions/libip6t_DNPT.c | 4 | ||||
| -rw-r--r-- | extensions/libip6t_SNPT.c | 4 | ||||
| -rw-r--r-- | extensions/libip6t_mh.man | 2 | ||||
| -rw-r--r-- | extensions/libxt_CLASSIFY.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_CT.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_DNAT.man (renamed from extensions/libipt_DNAT.man) | 15 | ||||
| -rw-r--r-- | extensions/libxt_NETMAP.man (renamed from extensions/libipt_NETMAP.man) | 2 | ||||
| -rw-r--r-- | extensions/libxt_NFQUEUE.c | 63 | ||||
| -rw-r--r-- | extensions/libxt_NFQUEUE.man | 7 | ||||
| -rw-r--r-- | extensions/libxt_RATEEST.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_REDIRECT.man (renamed from extensions/libipt_REDIRECT.man) | 13 | ||||
| -rw-r--r-- | extensions/libxt_SNAT.man (renamed from extensions/libipt_SNAT.man) | 15 | ||||
| -rw-r--r-- | extensions/libxt_addrtype.c | 2 | ||||
| -rw-r--r-- | extensions/libxt_policy.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_rateest.c | 4 | ||||
| -rw-r--r-- | extensions/libxt_statistic.c | 4 |
16 files changed, 124 insertions, 27 deletions
diff --git a/extensions/libip6t_DNPT.c b/extensions/libip6t_DNPT.c index 703adf60..a442de6d 100644 --- a/extensions/libip6t_DNPT.c +++ b/extensions/libip6t_DNPT.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2012-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdio.h> #include <string.h> #include <xtables.h> diff --git a/extensions/libip6t_SNPT.c b/extensions/libip6t_SNPT.c index 7ed80b20..4f10de03 100644 --- a/extensions/libip6t_SNPT.c +++ b/extensions/libip6t_SNPT.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2012-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdio.h> #include <string.h> #include <xtables.h> diff --git a/extensions/libip6t_mh.man b/extensions/libip6t_mh.man index 4559e783..8ec08c6f 100644 --- a/extensions/libip6t_mh.man +++ b/extensions/libip6t_mh.man @@ -8,5 +8,5 @@ a numeric MH .IR type or one of the MH type names shown by the command .nf - ip6tables \-p ipv6\-mh \-h + ip6tables \-p mh \-h .fi diff --git a/extensions/libxt_CLASSIFY.c b/extensions/libxt_CLASSIFY.c index ee0f9e1c..e04657ae 100644 --- a/extensions/libxt_CLASSIFY.c +++ b/extensions/libxt_CLASSIFY.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2003-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdio.h> #include <xtables.h> #include <linux/netfilter/xt_CLASSIFY.h> diff --git a/extensions/libxt_CT.c b/extensions/libxt_CT.c index a576a953..c8437b6c 100644 --- a/extensions/libxt_CT.c +++ b/extensions/libxt_CT.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2010-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdio.h> #include <string.h> #include <xtables.h> diff --git a/extensions/libipt_DNAT.man b/extensions/libxt_DNAT.man index d5ded35b..225274ff 100644 --- a/extensions/libipt_DNAT.man +++ b/extensions/libxt_DNAT.man @@ -7,20 +7,17 @@ and chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will -also be mangled), and rules should cease being examined. It takes one -type of option: +also be mangled), and rules should cease being examined. It takes the +following options: .TP \fB\-\-to\-destination\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] which can specify a single new destination IP address, an inclusive -range of IP addresses, and optionally, a port range (which is only -valid if the rule also specifies -\fB\-p tcp\fP -or -\fB\-p udp\fP). +range of IP addresses. Optionally a port range, +if the rule also specifies one of the following protocols: +\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. If no port range is specified, then the destination port will never be modified. If no IP address is specified then only the destination port will be modified. - In Kernels up to 2.6.10 you can add several \-\-to\-destination options. For those kernels, if you specify more than one destination address, either via an address range or multiple \-\-to\-destination options, a simple round-robin (one @@ -37,3 +34,5 @@ is used then port mapping will be randomized (kernel >= 2.6.22). Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2. +.TP +IPv6 support available since Linux kernels >= 3.7. diff --git a/extensions/libipt_NETMAP.man b/extensions/libxt_NETMAP.man index a7e90b8d..06507db7 100644 --- a/extensions/libipt_NETMAP.man +++ b/extensions/libxt_NETMAP.man @@ -7,3 +7,5 @@ table. Network address to map to. The resulting address will be constructed in the following way: All 'one' bits in the mask are filled in from the new `address'. All bits that are zero in the mask are filled in from the original address. +.TP +IPv6 support available since Linux kernels >= 3.7. diff --git a/extensions/libxt_NFQUEUE.c b/extensions/libxt_NFQUEUE.c index 8c2f6999..0c869187 100644 --- a/extensions/libxt_NFQUEUE.c +++ b/extensions/libxt_NFQUEUE.c @@ -13,8 +13,10 @@ enum { O_QUEUE_NUM = 0, O_QUEUE_BALANCE, O_QUEUE_BYPASS, + O_QUEUE_CPU_FANOUT, F_QUEUE_NUM = 1 << O_QUEUE_NUM, F_QUEUE_BALANCE = 1 << O_QUEUE_BALANCE, + F_QUEUE_CPU_FANOUT = 1 << O_QUEUE_CPU_FANOUT, }; static void NFQUEUE_help(void) @@ -37,7 +39,15 @@ static void NFQUEUE_help_v2(void) { NFQUEUE_help_v1(); printf( -" --queue-bypass Bypass Queueing if no queue instance exists.\n"); +" --queue-bypass Bypass Queueing if no queue instance exists.\n" +" --queue-cpu-fanout Use current CPU (no hashing)\n"); +} + +static void NFQUEUE_help_v3(void) +{ + NFQUEUE_help_v2(); + printf( +" --queue-cpu-fanout Use current CPU (no hashing)\n"); } #define s struct xt_NFQ_info @@ -48,6 +58,8 @@ static const struct xt_option_entry NFQUEUE_opts[] = { {.name = "queue-balance", .id = O_QUEUE_BALANCE, .type = XTTYPE_UINT16RC, .excl = F_QUEUE_NUM}, {.name = "queue-bypass", .id = O_QUEUE_BYPASS, .type = XTTYPE_NONE}, + {.name = "queue-cpu-fanout", .id = O_QUEUE_CPU_FANOUT, + .type = XTTYPE_NONE, .also = F_QUEUE_BALANCE}, XTOPT_TABLEEND, }; #undef s @@ -92,6 +104,18 @@ static void NFQUEUE_parse_v2(struct xt_option_call *cb) } } +static void NFQUEUE_parse_v3(struct xt_option_call *cb) +{ + struct xt_NFQ_info_v3 *info = cb->data; + + NFQUEUE_parse_v2(cb); + switch (cb->entry->id) { + case O_QUEUE_CPU_FANOUT: + info->flags |= NFQ_FLAG_CPU_FANOUT; + break; + } +} + static void NFQUEUE_print(const void *ip, const struct xt_entry_target *target, int numeric) { @@ -120,10 +144,20 @@ static void NFQUEUE_print_v2(const void *ip, const struct xt_NFQ_info_v2 *info = (void *) target->data; NFQUEUE_print_v1(ip, target, numeric); - if (info->bypass) + if (info->bypass & NFQ_FLAG_BYPASS) printf(" bypass"); } +static void NFQUEUE_print_v3(const void *ip, + const struct xt_entry_target *target, int numeric) +{ + const struct xt_NFQ_info_v3 *info = (void *)target->data; + + NFQUEUE_print_v2(ip, target, numeric); + if (info->flags & NFQ_FLAG_CPU_FANOUT) + printf(" cpu-fanout"); +} + static void NFQUEUE_save(const void *ip, const struct xt_entry_target *target) { const struct xt_NFQ_info *tinfo = @@ -151,10 +185,20 @@ static void NFQUEUE_save_v2(const void *ip, const struct xt_entry_target *target NFQUEUE_save_v1(ip, target); - if (info->bypass) + if (info->bypass & NFQ_FLAG_BYPASS) printf(" --queue-bypass"); } +static void NFQUEUE_save_v3(const void *ip, + const struct xt_entry_target *target) +{ + const struct xt_NFQ_info_v3 *info = (void *)target->data; + + NFQUEUE_save_v2(ip, target); + if (info->flags & NFQ_FLAG_CPU_FANOUT) + printf(" --queue-cpu-fanout"); +} + static void NFQUEUE_init_v1(struct xt_entry_target *t) { struct xt_NFQ_info_v1 *tinfo = (void *)t->data; @@ -199,6 +243,19 @@ static struct xtables_target nfqueue_targets[] = { .save = NFQUEUE_save_v2, .x6_parse = NFQUEUE_parse_v2, .x6_options = NFQUEUE_opts, +},{ + .family = NFPROTO_UNSPEC, + .revision = 3, + .name = "NFQUEUE", + .version = XTABLES_VERSION, + .size = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)), + .userspacesize = XT_ALIGN(sizeof(struct xt_NFQ_info_v3)), + .help = NFQUEUE_help_v3, + .init = NFQUEUE_init_v1, + .print = NFQUEUE_print_v3, + .save = NFQUEUE_save_v3, + .x6_parse = NFQUEUE_parse_v3, + .x6_options = NFQUEUE_opts, } }; diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man index f11e0c89..7a991291 100644 --- a/extensions/libxt_NFQUEUE.man +++ b/extensions/libxt_NFQUEUE.man @@ -23,3 +23,10 @@ Packets belonging to the same connection are put into the same nfqueue. By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When this option is used, the NFQUEUE rule behaves like ACCEPT instead, and the packet will move on to the next table. +.PP +.TP +\fB\-\-queue\-cpu-fanout\fP +Available starting Linux kernel 3.10. When used together with +\fB--queue-balance\fP this will use the CPU ID as an index to map packets to +the queues. The idea is that you can improve performance if there's a queue +per CPU. This requires \fB--queue-balance\fP to be specified. diff --git a/extensions/libxt_RATEEST.c b/extensions/libxt_RATEEST.c index acdefb90..449ceab6 100644 --- a/extensions/libxt_RATEEST.c +++ b/extensions/libxt_RATEEST.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2008-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdio.h> #include <string.h> #include <stdlib.h> diff --git a/extensions/libipt_REDIRECT.man b/extensions/libxt_REDIRECT.man index 90ab19d7..3400a6df 100644 --- a/extensions/libipt_REDIRECT.man +++ b/extensions/libxt_REDIRECT.man @@ -7,19 +7,18 @@ and chains, and user-defined chains which are only called from those chains. It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface -(locally-generated packets are mapped to the 127.0.0.1 address). +(locally-generated packets are mapped to the localhost address, +127.0.0.1 for IPv4 and ::1 for IPv6). .TP \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP] This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid -if the rule also specifies -\fB\-p tcp\fP -or -\fB\-p udp\fP. +if the rule also specifies one of the following protocols: +\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. .TP \fB\-\-random\fP If option \fB\-\-random\fP is used then port mapping will be randomized (kernel >= 2.6.22). -.RS -.PP +.TP +IPv6 support available starting Linux kernels >= 3.7. diff --git a/extensions/libipt_SNAT.man b/extensions/libxt_SNAT.man index 093b09c4..f0620a21 100644 --- a/extensions/libipt_SNAT.man +++ b/extensions/libxt_SNAT.man @@ -7,21 +7,18 @@ and chains, and user-defined chains which are only called from those chains. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be -mangled), and rules should cease being examined. It takes one type -of option: +mangled), and rules should cease being examined. It takes the +following options: .TP \fB\-\-to\-source\fP [\fIipaddr\fP[\fB\-\fP\fIipaddr\fP]][\fB:\fP\fIport\fP[\fB\-\fP\fIport\fP]] which can specify a single new source IP address, an inclusive range -of IP addresses, and optionally, a port range (which is only valid if -the rule also specifies -\fB\-p tcp\fP -or -\fB\-p udp\fP). +of IP addresses. Optionally a port range, +if the rule also specifies one of the following protocols: +\fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP. If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur. - In Kernels up to 2.6.10, you can add several \-\-to\-source options. For those kernels, if you specify more than one source address, either via an address range or multiple \-\-to\-source options, a simple round-robin (one after another @@ -44,3 +41,5 @@ Kernels prior to 2.6.36-rc1 don't have the ability to in the .B INPUT chain. +.TP +IPv6 support available since Linux kernels >= 3.7. diff --git a/extensions/libxt_addrtype.c b/extensions/libxt_addrtype.c index e8a85456..e5d3033c 100644 --- a/extensions/libxt_addrtype.c +++ b/extensions/libxt_addrtype.c @@ -1,4 +1,6 @@ /* Shared library add-on to iptables to add addrtype matching support + * + * Copyright (c) 2003-2013 Patrick McHardy <kaber@trash.net> * * This program is released under the terms of GNU GPL */ #include <stdio.h> diff --git a/extensions/libxt_policy.c b/extensions/libxt_policy.c index 54ec2294..0a64a80c 100644 --- a/extensions/libxt_policy.c +++ b/extensions/libxt_policy.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2005-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdbool.h> #include <stdint.h> #include <stdio.h> diff --git a/extensions/libxt_rateest.c b/extensions/libxt_rateest.c index 185a8135..fb244121 100644 --- a/extensions/libxt_rateest.c +++ b/extensions/libxt_rateest.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2008-2013 Patrick McHardy <kaber@trash.net> + */ + #include <stdbool.h> #include <stdio.h> #include <string.h> diff --git a/extensions/libxt_statistic.c b/extensions/libxt_statistic.c index c23805fb..b6ae5f5c 100644 --- a/extensions/libxt_statistic.c +++ b/extensions/libxt_statistic.c @@ -1,3 +1,7 @@ +/* + * Copyright (c) 2006-2013 Patrick McHardy <kaber@trash.net> + */ + #include <math.h> #include <stdio.h> #include <string.h> |