| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
References: http://bugs.debian.org/632804
References: http://marc.info/?l=netfilter-devel&m=130999299016674&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Avoid a crash in xs_init_match when a clone's m->udata points at the
parent.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
Intrapositional negation was deprecated in 1.4.3.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| | |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| | |
This move was missed in commit v1.4.11~77^2~6.
References: http://bugs.debian.org/632695
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Make it possible to have multiple types of ELF classes for the
extension modules by putting them in an arch-dependent path.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
"-vv" can be used to further increase the verbosity level. Document
this.
References: http://bugs.debian.org/616037
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ip6tables-apply points to iptables-apply (which is good). Since
iptables/ip6tables rule files are different, the reporter suggests
that the DEFAULT_FILE variable should depend on whether iptables-apply
or ip6tables-apply is run.
References: http://bugs.debian.org/547734
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
iptables no longer compiles for Linux 2.4 because it uses
linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for
Linux 2.6.
xtables.c:35:52: error: linux/magic.h: No such file or directory
xtables.c: In function 'proc_file_exists':
xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in
this function)
xtables.c:389: error: (Each undeclared identifier is reported only
once for each function it appears in.)
References: http://bugzilla.netfilter.org/show_bug.cgi?id=720
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| | |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=723
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I cannot delete a rule by matching it if the target of the rule is
RATEEST.
Copy-paste from terminal:
# iptables -t mangle -A PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
# iptables -t mangle -D PREROUTING -j RATEEST
--rateest-name somename --rateest-interval 250ms
--rateest-ewmalog 4s
iptables: No chain/target/match by that name.
I saw in comments of the kernel code that the last part of the struct
xt_rateest_target_info is used only by kernel:
struct xt_rateest_target_info {
char name[IFNAMSIZ];
__s8 interval;
__u8 ewma_log;
/* Used internally by the kernel */
struct xt_rateest *est __attribute__((aligned(8)));
};
but in struct xtables_target, .size and .userspacesize are equal.
Simply correcting this solved the problem.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=724
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
xtables.c:320: alloc_fn: Calling allocation function "get_modprobe".
xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc".
xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)".
xtables.c:304: return_alloc: Returning allocated memory "ret".
xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()".
xtables.c:323: var_assign: Assigning: "modprobe" = "buf".
xtables.c:348: leaked_storage: Variable "buf" going out of scope
leaks the storage it points to.
xtables.c:348: leaked_storage: Returning without freeing "modprobe"
leaks the storage that it points to.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
xtables.c:931: va_init: Initializing va_list "args".
xtables.c:938: missing_va_end: va_end was not called for "args".
xtables.c:947: missing_va_end: va_end was not called for "args".
xtables.c:961: missing_va_end: va_end was not called for "args".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in".
ip6tables-restore.c:463: check_after_deref: Dereferencing "in"
before a null check.
iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in".
iptables-restore.c:468: check_after_deref: Dereferencing "in" before a
null check.
iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in".
iptables-xml.c:873: check_after_deref: Dereferencing "in" before a
null check.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
libipq.c:232: var_tested_neg: Variable "h->fd" tests negative.
libipq.c:234: negative_returns: "h->fd" is passed to a parameter that
cannot be negative.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
libiptc.c:407: dead_error_condition: On this path, the condition
"res > 0" cannot be false.
libiptc.c:396: at_least: After this line, the value of "res" is at
least 1.
libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as
false.
libiptc.c:396: new_values: Noticing condition "res < 0".
libiptc.c:425: new_values: Noticing condition "res < 0".
libiptc.c:407: new_values: Noticing condition "res > 0".
libiptc.c:435: dead_error_line: Execution cannot reach this statement
"return list_pos;".
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| | |
Cf. commit v1.4.11.1-5-g2dba676.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to the previous default expiry of 10 sec, "--hashlimit 1/min"
would allow matching up to 6/min if a properly timed. To do what the
user expects, the minimum expiry must equal the selected time quantum
however.
Cc: Jan Rovner <jan.rovner@diadema.cz>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
This is useful for the upcoming patch about per-instance auxiliary
data.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Evil sed did not throw any warning whatsoever when it cannot find the
file.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Linux kernels up to and including 2.6.38, with the exception of longterm
releases 2.6.32.42 (or later) and 2.6.33.15 (or later), there is a bug (*) whereby
IPv6 TOS mangling does not behave as documented and differs from the IPv4
version. The TOS mask indicates the bits one wants to zero out, so it needs to
be inverted before applying it to the original TOS field. However, the
aformentioned kernels forgo the inversion which breaks --set-tos and its
mnemonics.
(*) Fixed by upstream commit:
1ed2f73d90fb49bcf5704aee7e9084adb882bfc5 (netfilter: IPv6: fix DSCP mangle code)
Signed-off-by: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
The section about MASQUERADE specifies that it takes a single option,
but in reality it takes two: --to-ports and --random.
Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
These got lost on commit v1.4.11-12-g5c8f5b6.
Note: When /usr/include/libiptc/libiptc.h exists, this error is
masked away :-/ (IMO, #include-with-quotes "foo.h" should not
search system dirs...)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
`iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it
was not present in a subsequent `iptables -S`.
Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto
extension, cs.invert must not be touched until the next getopt call.
This is now fixed by having command_default return a value to indicate
whether to jump or not.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
| |
These rulesets use practically all options (I may have missed some)
for verification that the new Guided Option Parser would take the same
input as the old open-coded ones did. They might come in handy at some
point.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
| |
(Unclutter top-level dir)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
| |
Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code
into the xtables-multi binary.
Signed-off-by: Maciej Zenczykowski <maze@google.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
The word "occur" had ufortunately been removed in v1.3.8~23.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=707
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
References; http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
This is where they belong, after all.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=713
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
| |
References: http://bugs.debian.org/623112
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Open Build Service/rpmlint flagged the outdated address in the
license text :-)
iptables.x86_64: W: incorrect-fsf-address
/usr/share/doc/packages/iptables/COPYING
The Free Software Foundation address in this file seems to be outdated
or misspelled. Ask upstream to update the address, or if this is a
license file, possibly the entire file with a new copy available from
the FSF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
