| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Gabor Z. Papp noted this link-time error when configuring with
--enable-static:
extensions/libext4.a(initext4.o): In function "init_extensions":
extensions/initext4.c:144: undefined reference to "libxt_IDLETIMER_init"
extensions/initext4.c:145: undefined reference to "libxt_TEE_init"
Indeed, since the two modules did not use our special macro "_init"
(which expands to libxt_foo_init), initext4.c could not find them by
that name. Correct this.
References: http://marc.info/?l=netfilter&m=128085480927924&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
The output generated by the libxt_rateest extension for bps matches
was wrong and could not be restored properly. This patch fixes this
problem by using the correct options in the right order when saving
the table.
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
The xt_quota_info flags should be set properly for the --quota option negation
support.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
There were a few typos in some options in the rateest match section of the
man page: --rateest1-bps should be --rateest-bps1 and so on.
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libipt_set renamed to libxt_set and the support for the forthcoming
ipset release added. I have tested backward (IPv4) and forward
compatibility (IPv4/IPv6):
ipset -N test iphash
ipset -A test test-address
iptables -N test-set
iptables -A test-set -j LOG --log-prefix "match "
iptables -A test-set -j DROP
iptables -A OUTPUT -m set --match-set test dst -j test-set
ping test-address
|
|\ \ |
|
| | |
| | |
| | |
| | |
| | | |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=659
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
iptables -L lists the burst value, and so should iptables -S. I was
certainly surprised to see it gone even when explicitly specifying
--hashlimit-burst 5 on the command line.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\| |
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Since iptables uses its own copies of the header files anyway where the
revision field is exposed, there is no reach to access name[] beyond its
size.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
Since XT_EXTENSION_MAXNAMELEN is now available, make use of it
and clear the confusion.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The latest kernel has implemented Partial Reliability Extension
that defined in RFC3758.
This patch adds FORWARD_TSN chunk for tracing.
Signed-off-by: Shan Wei<shanwei@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
|
|
|
|
|
|
|
| |
SACK-IMMEDIATELY extension has defined in:
http://tools.ietf.org/html/draft-tuexen-tsvwg-sctp-sack-immediately-03.
And the latest kernel has added a I flag in DATA chunk to support this extension.
So let iptables/netfilter can trace it.
Signed-off-by: Shan Wei<shanwei@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
| |
Verbatim dashes need to be backslash-prefixed.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
For the xt_LED target introduced in Linux 2.6.31.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=646
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=653
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes this compile error:
CC nfnl_osf.o
nfnl_osf.c:48:36: fatal error: linux/netfilter/xt_osf.h: No such file or directory
compilation terminated.
References: http://marc.info/?l=netfilter&m=127449929621579&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099.
Revert the revert to restore the TEE target.
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing
changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e.
Forgot to commit the version increase.
|
|\ |
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
xt_TEE is firstly included in Linux 2.6.35.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
such port range errors as "1a-2" and "1-2a".
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Reported by yang.xuhui@jfsys.com.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Found by gcc -Wmissing-noreturn.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
several types of port range errors, including:
"-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc.
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many toolchains for embedded systems don't have largefile support:
usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled.
In file included from /build_armeb/staging_dir/usr/include/stdio.h:72,
from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support!
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t'
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t'
/build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Signed-off-by: Simon Lodal <simonl@parknet.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the following problem:
# iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured
iptables v1.4.7: Unknown event type "assured"
Try `iptables -h' or 'iptables --help' for more information.
However, `assured' is one of the supported arguments for --ctevents.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
iprange_parse() was incomplete and did not include parsed ranges into
ipt_iprange_info structure resulting in always adding range
0.0.0.0-0.0.0.0 in the kernel.
Moreover, when using --dst-range, error messages may display
--src-range instead. Fix this too.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
xt_osf is pretty useless without the actual fingerprint loader. Import
nfnl_osf-2009-06-07 and make it a part of the iptables distribution.
Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
There was no real restriction, and in fact, the kernel module never
had such a limitation in the last years.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
MARK used to be limited to the mangle table, but there was no real
restriction.
References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.
References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|