| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
This patch fixes the problem that the CONNMARK mask value
has been set to 0 whenever the CONNMARK target options were
not the last options to be processed.
It initalizes the mask value rather than setting it for
each parse.
Signed-off-by: Peter Warasin <peter@endian.com>
|
| |
|
|
|
|
|
|
|
|
| |
if NO_SHARED_LIBS is defined, then iptables shouldnt even include dlfcn.h.
otherwise you hit a build failure when using toolchains that do not provide
dlfcn.h because they do not support shared objects.
Signed-Off-By: Mike Frysinger <vapier@gentoo.org>
|
|
|
|
|
|
|
|
| |
Remove our own definitions of the Linux types and use <linux/types.h>
instead. libiptc needs it too, or otherwise will choke on union
nf_inet_addr.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is an improvment of r7098 (made by me).
Assuring compatibility between 1.4.0 and older versions,
regarding chain sorting.
Chains from kernel are already sorted, as they are inserted
sorted. But there exists an issue when shifting to 1.4.0
from an older version, as old versions allow last created
chain to be unsorted. This unsorted chain would survive in
1.4.0, as chains are now only sorted on creation.
This patch verifies that chains are sorted, if not it fixes the sorting.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
|
|
|
| |
When running as a user iptables can't determine the highest supported
revision and exits. Assume all revision are supported in case we get
a EPERM. If the user is not showing the help text but trying to add
new rules he'll get EPERM later anyway.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
libxt_u32.man already exists.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Performance optimize scalability issue:
Sorting chain during pull-out give worst-case runtime O(Chains2).
When pulling out the blob, every chain name is inserted alphabetically
into a linked list (by function iptc_insert_chain()). The problem
with this approach is that the chain names delivered in the blob is
already sorted (as we push it back to the kernel sorted).
This cause chain parsing to always process every element in the chain
list and finish with a tail add. Causing worst-case runtime O(C2/2)
for alphabetically sorting of chains.
The patch solves this by only calling iptc_insert_chain() when
creating new chains.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
iptables prints the mask as a prefix length if it is valid;
This patch makes iptables-save do the same.
Also, iptables-save will always print "/32" in the "-s addr/32"
case now. This reduces the amount of code external parsing scripts
need to provide to properly parse iptables-save output.
ip6tables-save already does the right thing, so no change there.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
| |
Rename libipt_{time,u32}.man to libxt_{time,u32}.man to go
in line with the C files.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
| |
Fix a typo in call to check_inverse().
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
which has existed since SVN changeset 6920. This patch adds ip_tables.h
and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.
Changeset 6920 added the include file x_tables.h from kernel source, but
didn't add ip_tables.h and ip6_tables.h.
At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
kernel headers where changed, which actually removes certain
depencencies from ip_tables.h and ip6_tables.h to x_tables.h.
If compiling will fail, with old kernel headers (ip_tables.h and
ip6_tables.h) available in systems include path, because they depend on
certaine defines in x_tables.h with is missing in the version in SVN.
Jesper Brouer <jdb@comx.dk>
|
|
|
|
|
|
|
| |
The --random option produces "Unknown arg `--random'" errors with both the
DNAT and REDIRECT targets. Corrected by the attached patch.
Tom Eastep <teastep@shorewall.net>
|
| |
|
|
|
|
|
|
| |
adds --table to iptables-restore which allows to restore only the supplied table
Signed-off-by: Peter Warasin <peter@endian.com>
|
|
|
|
|
|
|
| |
Sorry forgot to mention that the "ip6tables-multi.c" (in the patch) which is
not in the repository has to be manually added.
Hann-huei Chiou <koala@ascenvision.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The iptables.8 and ip6tables.8 man pages are now generated from libxt_*.man
files too. For xtables modules one man page is enough with libxt_ prefix.
The match and target lists are sorted alphabetically.
The make command doesn't print anything when creates man pages.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
|
|
|
|
|
|
|
|
| |
When defining DO_MULTI=1 in Makefile, only iptables is built as
a single multipurpose binary. This patch makes ip6tables also be
built in the same manner.
Hann-huei Chiou <koala@ascenvision.com>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|