summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* libiptc: fix chain rename bug in libiptcJesper Dangaard Brouer2009-03-231-1/+8
| | | | | | | | | Chain renaming (TC_RENAME_CHAIN) can result in an unsorted chain list. That breaks the requirement of the binary search done in iptcc_bsearch_chain_index(). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: avoid compile warnings for iptc_insert_chainChristoph Paasch2009-03-231-1/+1
| | | | | | | | iptc_insert_chain is too big to get inlined and so it generates a warning while compiling. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* iptables-save: module loading correctionsJan Engelhardt2009-03-194-8/+28
| | | | | | | | | | | | | | | | | | | 1. Ignore the absence of /proc/net/ip_tables_names, which happens when x_tables.ko is not loaded. This is equivalent to having x_tables.ko, but no tabe modules, loaded. As such, success should be returned. 2. Load table when explicitly requested by the -t option. Users might expect "*foo" etc. to be output when `iptables-save -t foo` is executed. So do autoload x_tables.ko and the table in this case. *. Do this for both iptables-save and ip6tables-save, and adjust the manpages for the new -M (modprobe program location) option that is introduced. Based upon a patch by Soren Hansen. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_comment: output quotes must be escaped inJan Engelhardt2009-03-191-1/+2
| | | | | Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: add -I/-L flags to pkgconfig filesJan Engelhardt2009-03-191-1/+2
| | | | | | | | These are needed in case iptables gets installed into a non-standard path. It also enables automatic detection of these locations from 3rd party programs via pkgconfig. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connbytes: document nf_ct_acct behaviorJan Engelhardt2009-03-171-0/+6
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_connbytes: minor manpage adustmentsJan Engelhardt2009-03-171-5/+5
| | | | | | Use explicit paragraph separator and conntrack(8). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge commit 'nf/master'Jan Engelhardt2009-03-154-7/+7
|\
| * iptables: fix broken options-merging during libxtables reworkPablo Neira Ayuso2009-03-032-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes options-merging that was broken somewhere during the libxtables rework. Before this patch, two pointers were used to keep the current options, however, the options field in xt_params was not appropritely updated. Thus, xtables_free_opts() was not restoring the original options. This patch fixes iptables-restore and ip6tables-restore that stopped working in my personal firewall. % iptables-restore *filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED' Error occurred at line: 4 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * string: fix wrong pattern length calculationPablo Neira Ayuso2009-03-021-4/+4
| | | | | | | | | | | | | | | | This fixes a problem introduced in 37b4bde745698bf140d74e59a2561f34deeb8726 that leads to the wrong calculation of the pattern length in the string match. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * iptables: Add limits.h to get INT_MIN, INT_MAX, ...Stephen Hemminger2009-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | Fix build failure of iptables utilities on debian/ubuntu, maybe other distros. The values INT_MIN and INT_MAX are used by many filters and these are defined in limits.h --- patch against current iptables.git Signed-off-by: Patrick McHardy <kaber@trash.net>
* | iptables: turn deprecation warning into enforcing modeJan Engelhardt2009-03-151-4/+3
| | | | | | | | | | | | | | The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72 with a warning "next release". Next release is coming up, so enforce it. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | extensions: add missing limits.h includeJan Engelhardt2009-02-2110-0/+18
| | | | | | | | | | | | Thanks to Stephen Hemminger for noticing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-2120-114/+117
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: use bounded strtouiJan Engelhardt2009-02-212-6/+14
| | | | | | | | | | reqid and SPI can only have a value in the range 0..UINT32_MAX, not the entire range of the "long" type. Also throw an error if the incoming string does not look like a pure number. "Replaces" commit 6db2ded2f22a7e78743c86af523b8430876582e9. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove unwanted/add needed includes for IPv4 extsJan Engelhardt2009-02-2116-15/+2
| | | | | | | Most touched files do not use anything from ip_tables.h, so remove that #include. multiport instead, does need it (ipt_entry). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove unwanted/add needed includes for IPv6 extsJan Engelhardt2009-02-218-9/+3
| | | | | | | Most touched files do not use anything from ip6_tables.h, so remove that #include. multiport instead, does need it (ip6t_entry). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-2190-746/+746
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: inline and remove unused OPTION_OFFSET macroJan Engelhardt2009-02-212-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: resynchronize manpage with in-code helpJan Engelhardt2009-02-214-10/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_policy: cannot set spi/reqid numbers higher than 0x7fffffffChristian Perle2009-02-172-4/+4
| | | | | | | | | | | http://bugzilla.netfilter.org/show_bug.cgi?id=577 When using the -m policy match, the option argument for --spi is converted using strtol(), which returns a signed 32 bit value, so the highest positive value is 0x7fffffff. Instead strtoul() should be used. The same applies for the --reqid option argument. Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: do not put IPv4 doc into ip6tables.8Jan Engelhardt2009-02-171-11/+5
| | | | | Reference: http://bugs.debian.org/515752 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: trigger reconfigure when extensions/GNUmakefile.in changesJan Engelhardt2009-02-171-1/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: make library available as a shared libraryJan Engelhardt2009-02-165-9/+27
| | | | | Tested-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: general follow-up cleanupJamal Hadi Salim2009-02-1311-87/+64
| | | | | | Kill program_name, program_version and xtables_program_name. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate init calls into one functionJamal Hadi Salim2009-02-1310-39/+76
| | | | | | | | | | | Introduce xtables_init_all() which hides three calls xtables_init(), xtables_set_nfproto(), and xtables_set_params(). Make ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use it. I moved xtables_set_params around for readability reasons. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: consolidate merge_options into xtables_merge_optionsJamal Hadi Salim2009-02-134-70/+41
| | | | | | | | Introduce xtables_merge_options() for re-use reasons. Apps can use it instead of each defining their own merge_options(). Made iptables and ip6tables use the new shared interface. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* build: remove unneeded -ldl from iptables_xml_LDADDJan Engelhardt2009-02-121-1/+1
| | | | | | Addendum to commit 5c3e0767764bb7fa1db61ac326e8359161380e21. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: make iptables and ip6tables use xtables_free_optsJamal Hadi Salim2009-02-124-35/+17
| | | | | | | | The patch modifies xtables_globals to introduce orig_opts and xtables_free_opts() to emulate what free_opts used to do. We also get rid of the copies of free_opts() that iptables and ip6tables keep. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: add xtables_set_revisionJamal Hadi Salim2009-02-124-23/+16
| | | | | | Introduce xtables_set_revision() and make iptables and ip6tables use it. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libxtables: set names of programsJamal Hadi Salim2009-02-1210-2/+10
| | | | | | Set proper name of application. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
* libipq: fix compile errorJan Engelhardt2009-02-121-0/+2
| | | | | | | | | | | | libipq.c: In function `ipq_create_handle': libipq.c:220: error: `NFPROTO_IPV4' undeclared (first use in this function) libipq.c:220: error: (Each undeclared identifier is reported only once libipq.c:220: error: for each function it appears in.) libipq.c:222: error: `NFPROTO_IPV6' undeclared (first use in this function) Add the required includes. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: restructure Makefile for include/ directoryJan Engelhardt2009-02-124-5/+13
| | | | | | This patch will support adding libiptc to the headers list in future. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix one layout issue in iptables-restore.8Shaul Karl2009-02-121-1/+0
| | | | | Reference: http://bugs.debian.org/512281 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix option typo in libxt_multiportMarc Fournier2009-02-121-2/+2
| | | | | Reference: http://bugs.debian.org/511891 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipq: add missing doc for NF_ valuesJan Engelhardt2009-02-121-0/+7
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: flush before forkJan Engelhardt2009-02-121-0/+6
| | | | | Reference: http://bugs.debian.org/514869 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_string: fix undefined behavior/incorrect patlen calculationJan Engelhardt2009-02-121-1/+3
| | | | | | | strlen ran over the end of the string. Use strnlen to bound it. Reference: http://bugs.debian.org/513516 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: use const for vars holding literalsJan Engelhardt2009-02-121-2/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2009-02-1211-67/+73
|\
| * src: consolidate duplicate code in iptables/internal.hJan Engelhardt2009-02-103-4/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: move compat defines to xtables.cJan Engelhardt2009-02-103-10/+9
| | | | | | | | | | | | | | Addendum to commit v1.4.3-rc1-41-g77f48c2 where the macro users got moved. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: remove unused ipt_tryload macroJan Engelhardt2009-02-102-4/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: remove iptables_rule_match indirection macroJan Engelhardt2009-02-104-26/+24
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: decouple non-xtables parts from headerJan Engelhardt2009-02-107-9/+14
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: remove unused XT_LIB_DIR macroJan Engelhardt2009-02-101-4/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * build: move -ldl to proper LDADDJan Engelhardt2009-02-101-2/+3
| | | | | | | | | | | | libxtables uses dlopen, so *it* has to use -ldl, not the main program. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: recognize IP6TABLES_LIB_DIR old-style environment variableJan Engelhardt2009-02-101-0/+13
| | | | | | | | | | | | | | | | Commit v1.4.3-rc1-47-g300e290 tried to consolidate the environment variable presence checking code into xtables.c, but missed adding IP6TABLES_LIB_DIR to libxtables. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libxtables: simple aliasing macro for exit_errorJamal Hadi Salim2009-02-115-42/+35
| | | | | | | | | | | | | | | | | | | | | | Rename xtables_globals exit_error cb to exit_err and introduce a very simple aliasing macro to point to it. convert iptables, ip6tables and iptables_xml to use it. Note iptables_xml does not have to define its own exit_error() since it can use the basic one provided. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | libxtables: Replace direct exit_error() calls inside libxtablesJamal Hadi Salim2009-02-111-18/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace direct exit_error() calls inside libxtables with xt_params->exit_error(). With this change; i can now compile the useless app: ----- #include <xtables.h> int main(int argc, char **argv) { return 0; } ---- with "gcc useless.c -lxtables -ldl" Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: Patrick McHardy <kaber@trash.net>