summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * iptables: manpage updates for augmented -Z syntaxJan Engelhardt2009-08-202-6/+8
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: expose option to zero packet/byte counters for a specific ruleMohit Mehta2009-08-202-14/+48
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Bump version number to 1.4.5v1.4.5Patrick McHardy2009-09-142-3/+3
| | | | | | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* | man: fix incorrect plural in libipt_set.manPatrick McHardy2009-08-241-1/+1
|/ | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpages: more fixes to minuses, hyphens, dashesJan Engelhardt2009-08-2016-37/+33
| | | | | | | | | | | | | | | | Debian still carries patches patches to the iptables nroff code touching ASCII minuses, so I thought, what's it this time. Eventually, this patch tries to straighten things once more, per http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Hyphens and http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style#Dashes . Titles will get the em dash; all typed commands or parameters with a hyphen get a minus (so that man(1) hyperlinking and copy-pasting does work), but other mentions get the hyphen. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* manpage: fix lintian warningsLaurence J. Lane2009-08-202-2/+2
| | | | | | | | | | | Description: extraneous slash caused this lintian warning: W: iptables: manpage-has-errors-from-man usr/share/man/man8/iptables.8.gz 220: cannot use newline as a starting delimiter W: iptables: manpage-has-errors-from-man usr/share/man/man8/ip6tables.8.gz 1823: warning: `precedence'' not defined Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* ipt_set: fix a typo in the manpageTrent W. Buck2009-08-201-1/+1
| | | | | | References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=539101 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxt_NFQUEUE: add new v1 version with queue-balance optionFlorian Westphal2009-08-203-10/+129
| | | | | | | | | | | | | | | | New version that adds support for specifying a queue range instead of a single queue id. The kernel will distribute flows across the given queue range. This is useful for multicore systems, simply start multiple instances of the userspace program on queues x, x+1, .. x+n and use "--queue-balance x:x+n". Packets belonging to the same connection are put into the same queue. With fixes from Jan Engelhardt. Signed-off-by: Florian Westphal <fwestphal@astaro.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable'Jan Engelhardt2009-08-053-22/+152
|\ | | | | | | | | | | | | Conflicts: extensions/libxt_conntrack.c Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_helper: fix invalid passed option to check_inverseJan Engelhardt2009-06-251-1/+1
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * xt_conntrack: revision 2 for enlarged state_mask memberJan Engelhardt2009-06-252-27/+161
| | | | | | | | | | | | This complements the xt_conntrack revision 2 code added to the kenrel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: build only iptables-multiJan Engelhardt2009-07-251-37/+13
| | | | | | | | | | | | | | | | | | | | | | | | I see no pressing reason to install all single programs when the multi binary can do the job. Within the build directory, developers can run the components by means of, for example, ./ip6tables-multi {main|restore|save} ... And when make install-ed, symlinks are available. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: combine iptables-multi and iptables-staticJan Engelhardt2009-07-2510-40/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changed the Makefile so that: 1. --enable-shared / --disable-shared control the linkage against libdl (and thus the potential to use 3rd party extensions) 2. --enable-static / --disable-static controls whether shipped extensions are built-in or provided as modules iptables-static becomes redundant by this action; iptables-multi now has the feature. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: fix struct size mismatchJan Engelhardt2009-07-251-4/+0
| | | | | | | | | | | | | | | | | | Mixing code compiled with and without -DNO_SHARED_LIBS is fine as long as the structs have the same layout. This patch prevents a potential (currently non-triggerable) "ip6tables: target (null)<123> is missing a version" error. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | multi binary: allow subcommand via argv[1]Jan Engelhardt2009-07-252-43/+70
| | | | | | | | | | | | | | | | | | libtool does not play well with symlinks when trying to run commands in the build directory. So provide an alternate way to call iptables-multi: when argv[0] is not a recognized name, inspect [1] for an alternate identifer. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | build: order of dependent libs is sensitiveJan Engelhardt2009-07-231-1/+1
| | | | | | | | | | | | | | libiptc.la must come after its components or `make install` won't get things right. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | COMMIT_NOTES: notice to check for soversion bumpsJan Engelhardt2009-06-261-1/+5
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | xtables: warn of missing version identifier in extensionsJan Engelhardt2009-06-261-0/+10
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: collapse data variables to use multi-reg callsJan Engelhardt2009-06-2615-566/+552
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | xtables: add multi-registration functionsJan Engelhardt2009-06-262-0/+16
| | | | | | | | | | | | Similar to the ones that are present in the kernel. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: remove empty help and parse functionsJan Engelhardt2009-06-267-127/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: allow for help-less extensionsJan Engelhardt2009-06-265-40/+53
| | | | | | | | | | | | | | This is for extensions that do not take any options, and which subsequently do not offer any help text either. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: allow for parse-less extensionsJan Engelhardt2009-06-262-8/+10
| | | | | | | | | | | | This means we can do some code removal in extensions. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: collapse registration structuresJan Engelhardt2009-06-2627-474/+29
| | | | | | | | | | | | | | | | | | | | | | | | There are no different code paths between IPV4 and IPV6, so data can be consolidated here. text data bss dec hex filename 243757 12212 2576 258545 3f1f1 ip6tables-static[before.i586] 243613 9428 2576 255617 3e681 ip6tables-static[after.i586] -144 -2784 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libiptc: split v4 and v6Jan Engelhardt2009-06-261-7/+12
| | | | | | | | | | | | | | The split can save some diskspace for constrained systems running which are only running one protocol. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | iptables: accept multiple IP address specifications for -s, -dMichael Granzow2009-06-267-34/+251
|/ | | | | | | | | | | | | | libiptc already supports adding and deleting multiple rules with different addresses, so it only needs to be wired up to the options. # ip6tables -I INPUT -s 2001:db8::d,2001:db8::e -j DROP References: http://marc.info/?l=netfilter-devel&m=123929790719202&w=2 Adjustments made: syntax, removal of unneeded variables, manpage adjustment, soversion bump. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump versionv1.4.4Patrick McHardy2009-06-161-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'stable' of git://dev.medozas.de/iptablesPatrick McHardy2009-06-1112-30/+39
|\
| * manpages: markup correctionsJan Engelhardt2009-06-105-26/+25
| | | | | | | | | | | | | | | | The manpage of xt_cluster and xt_recent had some unclosed tags. Backslashes in commands are also not wanted because manpages are a freeform, automatically-wrapped text. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * iptables: close open file descriptorsJan Engelhardt2009-06-105-0/+8
| | | | | | | | | | | | | | Just for correctness, close some file descriptors that were opened. (E.g. ip6tables-save reading from procfs files.) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_connlimit: initialize v6_maskkd6lvw2009-06-101-1/+3
| | | | | | | | | | | | | | | | | | | | When converting "--connlimit-mask $bits" to a 128-bit v6 mask, the code uses a left shift on v6_mask[n]. This requires v6_mask to be filled with all one-bits beforehand, but this initialization was not done. References: http://bugzilla.netfilter.org/show_bug.cgi?id=597 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcp: manpage corrections and suggestionsIan Bruce2009-06-081-2/+2
| | | | | | | | | | | | | | | | | | | | From: Ian Bruce <ian_bruce@fastmail.net> The commit corrects some minor errors in the iptables(8) man page, related to port ranges in the "tcp" module. Reference: http://bugs.debian.org/531677 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_tcp: fix a manpage syntax typoFrank Tobin2009-06-081-1/+1
| | | | | | | | | | Reference: http://bugzilla.netfilter.org/show_bug.cgi?id=596 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | Updated set/SET match and target to support multiple ipset protocols.Jozsef Kadlecsik2009-06-115-44/+65
|/ | | | | | | | | | | By checking the protocol version of the kernel part, the sockopt type of ipset protocols are all supported. Forward compatibility with the netlink based protocol is missing. The --set option of the set match is replaced by --match-set to avoid clashing with the recent match, but the old option is also kept. Manpages are updated, references to bindings removed.
* extensions: remove redundant castsJan Engelhardt2009-06-082-8/+8
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* DNAT/SNAT: add manpage documentation for --persistent flagJan Engelhardt2009-06-083-4/+12
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: use NFPROTO_UNSPEC for .family fieldJan Engelhardt2009-06-0117-19/+19
| | | | | | | | This constant would be the designated one for the .family field; it also, given recent changes, makes grep for NFPROTO_UNSPEC work to finally recollect all manpages. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix manpage collectionJan Engelhardt2009-06-011-1/+4
| | | | | | | | | | | | Florian Westphal points out that v1.4.3.2-9-gc304d77 greps for the keyword in the wrong file, and that files with NFPROTO_UNSPEC are skipped. This patch corrects that part, and makes `make` now output the manpages it collected. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: merge ipv6 and ipv4 variantJan Engelhardt2009-06-012-463/+114
| | | | | | | | The files duplicate most of their code, and struct ipt_policy_info being defined to xt_policy_info makes them actually have even more in common. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* policy: use direct xt_policy_info instead of ipt/ip6tJan Engelhardt2009-05-312-66/+66
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_policy: remove redundant functionsJan Engelhardt2009-05-311-40/+8
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* manpages: do not include v4-only modules in ip6tables manpageJan Engelhardt2009-05-261-5/+5
| | | | | References: http://bugs.debian.org/529954 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* addrtype: fix one manpage typeJan Engelhardt2009-05-261-1/+1
| | | | | References: http://bugs.debian.org/528457 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: replace open-coded sizeof by ARRAY_SIZEJan Engelhardt2009-05-2618-104/+47
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-2628-80/+67
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables: use extern "C"Jan Engelhardt2009-05-261-0/+8
| | | | | | This fixes linking errors for 3rd-party C++ code. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Add new COMMIT_NOTES documentJan Engelhardt2009-05-251-0/+15
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* xtables: fix segfault if incorrect protocol name is usedPablo Neira Ayuso2009-05-121-0/+3
| | | | | | | | | | | | | | | | This patch fixes a segfault that can be triggered if you use an incorrect protocol, e.g. # iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21 Segmentation fault With this patch: # iptables -I PREROUTING -t nat -p lalala --dport 21 -j DNAT --to 192.168.1.2:21 iptables v1.4.3.2: unknown protocol `lala' specified Try `iptables -h' or 'iptables --help' for more information Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add `cluster' match supportPablo Neira Ayuso2009-05-063-0/+317
| | | | | | This patch adds support for the cluster match to iptables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* SNAT/DNAT: add support for persistent multi-range NAT mappingsPatrick McHardy2009-04-173-2/+22
| | | | | | | Add support for persistent mappings (2.6.29-rc2+) as replacement for the removed SAME target. Signed-off-by: Patrick McHardy <kaber@trash.net>