| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
A few build system changes.
* ip6tables needs IP6T_LIB_DIR
* correctly trigger rebuild of master manpages when
submanpages have been touched
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de.
|
| |
|
|
|
|
|
|
| |
Have the header files in the iptables source tree take precedence
over those from the kernel source. Otherwise, building the current
iptables from subversion just fails with kernels < 2.6.25.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| | |
|
| |
|
|
|
|
|
| |
Import libxt_TCPOPTSTRIP into iptables.
Signed-off-by: Sven Schnelle <svens@bitebene.org>
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_iprange revision 1
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_iprange to libxt_iprange.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Introduce libxt_mark match revision 1 support.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add checks for libxt_hashlimit so that options cannot be passed twice
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
| |
Move a few functions from iptables.c/ip6tables.c to xtables.c
so they are available for combined (both AF_INET and AF_INET6)
libxt modules. Rename overlapping function names.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Move libipt_conntrack to libxt_conntrack.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
If the file exists but could not be loaded, print the dlerror().
Often it is a missing symbol.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
| |
Add support for xt_connmark match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Add support for xt_MARK target revision 2.
Also consolidate libip6t_MARK.man and libipt_MARK.man.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Move libipt_TOS revision 0 to libxt_TOS revision 0 and add support
for xt_TOS target revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
Move libipt_tos revision 0 to libxt_tos revision 0 and add support
for xt_tos match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
| |
libxt_owner merges libipt_owner and libip6t_owner, and adds support
for the xt_owner match revision 1.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
| |
Error messages vary wildly among modules, and there is a lot of
reundance in it too. Introduce a helper function that does all of
the parameter checking boilerplate and gives unique messages.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
back the 'end' pointer. It is useful where you want to do boundary
checking yet work with strings that are not entirely slurped by
strtoul(), e.g.:
s = "1/2"; /* one half */
if (!strtonum(s, &end, &value, 0, 5))
error("Zero-length string, or value out of bounds");
if (*end != '/')
error("Malformed string");
info->param1 = value;
if (!strtonum(end + 1, &end, &value, 2, 4))
error("..");
if (*end != '\0')
error("Malformed string");
info->param2 = value;
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Can build both static and dynamic at the same time
- iptables-static will be a multi-binary, semi-static
(link against libc but w/o dynamic plugins)
- Always build IPv6 modules
- consider INSTALL
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
| |
- check for malloc() return value in merge_opts()
- check for merge_opts() return value
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Solving scalability issue: for chain list "name" searching.
Functions: iptcc_find_label(), iptc_is_chain().
Testing if a chain exist, requires a linearly walk of linked list with
chain-names (doing a strcmp(3) in each step). Giving a worst-case
runtime of O(n) where n is the number of chains.
Why is this important to fix?! If only called once, this should not be
a big concern, even-though the string compares are expensive.
The performance issue arise with many chains for example; when using
"iptables-restore", or when listing all "iptables -nL" rules, or when
using CPAN IPTables::libiptc.
Having 50k chains, the rule listing, with the command:
"./iptables -nL > /dev/null",
Without patch it takes approximately 5 minutes,
With the patch it takes 0.5 seconds.
Listing without patch:
real 4m49.426s
user 4m37.993s
sys 0m0.280s
Listing with patch:
real 0m0.558s
user 0m0.484s
sys 0m0.064s
How is it solved?!
The issue is solved introducing a new data structure, that allow us to
do binary search of chain names. Thus, reducing the worst-case runtime
to O(log n).
Being more specific:
The new data structure is called "chain index", which is an array with
pointers into the chain list, with CHAIN_INDEX_BUCKET_LEN spacing.
This facilitates the ability to speedup chain list searching, by find
a more optimal starting points when searching the linked list.
The runtime complexity is actually also affected by this "bucket" size
concept. Thus, O(log(n/k) + k) where k is CHAIN_INDEX_BUCKET_LEN.
A nice property of the chain index, is that the "bucket" list
length is max CHAIN_INDEX_BUCKET_LEN (when just build, inserts will
change this). Oppose to hashing, where the "bucket" list length can
vary a lot.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
| |
Introduce a counter for number of user defined chains.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
|
| |
The two functions are obvious candidates for inlining.
Using gprof(1) shows that they actually affects performance.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes the problem that the CONNMARK mask value
has been set to 0 whenever the CONNMARK target options were
not the last options to be processed.
It initalizes the mask value rather than setting it for
each parse.
Signed-off-by: Peter Warasin <peter@endian.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
if NO_SHARED_LIBS is defined, then iptables shouldnt even include dlfcn.h.
otherwise you hit a build failure when using toolchains that do not provide
dlfcn.h because they do not support shared objects.
Signed-Off-By: Mike Frysinger <vapier@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Remove our own definitions of the Linux types and use <linux/types.h>
instead. libiptc needs it too, or otherwise will choke on union
nf_inet_addr.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch is an improvment of r7098 (made by me).
Assuring compatibility between 1.4.0 and older versions,
regarding chain sorting.
Chains from kernel are already sorted, as they are inserted
sorted. But there exists an issue when shifting to 1.4.0
from an older version, as old versions allow last created
chain to be unsorted. This unsorted chain would survive in
1.4.0, as chains are now only sorted on creation.
This patch verifies that chains are sorted, if not it fixes the sorting.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
|
| | |
|
| |
|
|
|
|
|
| |
When running as a user iptables can't determine the highest supported
revision and exits. Assume all revision are supported in case we get
a EPERM. If the user is not showing the help text but trying to add
new rules he'll get EPERM later anyway.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
libxt_u32.man already exists.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
