| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
Chain renaming (TC_RENAME_CHAIN) can result in an unsorted
chain list. That breaks the requirement of the binary search
done in iptcc_bsearch_chain_index().
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
iptc_insert_chain is too big to get inlined and so it generates
a warning while compiling.
Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.
2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.
*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.
Based upon a patch by Soren Hansen.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=519584
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
These are needed in case iptables gets installed into a non-standard
path. It also enables automatic detection of these locations from 3rd
party programs via pkgconfig.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Use explicit paragraph separator and conntrack(8).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes options-merging that was broken somewhere
during the libxtables rework. Before this patch, two pointers
were used to keep the current options, however, the options field
in xt_params was not appropritely updated. Thus, xtables_free_opts()
was not restoring the original options.
This patch fixes iptables-restore and ip6tables-restore that
stopped working in my personal firewall.
% iptables-restore
*filter
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-restore v1.4.3-rc1: Unknown arg `ESTABLISHED,RELATED'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes a problem introduced in 37b4bde745698bf140d74e59a2561f34deeb8726
that leads to the wrong calculation of the pattern length in the
string match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix build failure of iptables utilities on debian/ubuntu, maybe other distros.
The values INT_MIN and INT_MAX are used by many filters and these
are defined in limits.h
---
patch against current iptables.git
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| | |
The deprecation warning was added 7 months ago in v1.4.2-rc1-13-g1eada72
with a warning "next release". Next release is coming up, so enforce it.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
Thanks to Stephen Hemminger for noticing.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|/
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
| |
reqid and SPI can only have a value in the range 0..UINT32_MAX, not
the entire range of the "long" type. Also throw an error if the
incoming string does not look like a pure number.
"Replaces" commit 6db2ded2f22a7e78743c86af523b8430876582e9.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Most touched files do not use anything from ip_tables.h, so
remove that #include. multiport instead, does need it (ipt_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
Most touched files do not use anything from ip6_tables.h, so
remove that #include. multiport instead, does need it (ip6t_entry).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
| |
http://bugzilla.netfilter.org/show_bug.cgi?id=577
When using the -m policy match, the option argument for --spi is converted
using strtol(), which returns a signed 32 bit value, so the highest
positive value is 0x7fffffff. Instead strtoul() should be used.
The same applies for the --reqid option argument.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/515752
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Tested-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
Kill program_name, program_version and xtables_program_name.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce xtables_init_all() which hides three calls xtables_init(),
xtables_set_nfproto(), and xtables_set_params(). Make
ip[6]tables-restore, ip[6]tables-save and ip[6]tables-standalone use
it.
I moved xtables_set_params around for readability reasons.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
|
|
| |
Introduce xtables_merge_options() for re-use reasons. Apps can use it
instead of each defining their own merge_options(). Made iptables and
ip6tables use the new shared interface.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
| |
Addendum to commit 5c3e0767764bb7fa1db61ac326e8359161380e21.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
The patch modifies xtables_globals to introduce orig_opts and
xtables_free_opts() to emulate what free_opts used to do. We also get
rid of the copies of free_opts() that iptables and ip6tables keep.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
| |
Introduce xtables_set_revision() and make iptables and ip6tables use it.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
| |
Set proper name of application.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
|
|
|
|
|
|
|
|
|
|
|
|
| |
libipq.c: In function `ipq_create_handle':
libipq.c:220: error: `NFPROTO_IPV4' undeclared (first use in this function)
libipq.c:220: error: (Each undeclared identifier is reported only once
libipq.c:220: error: for each function it appears in.)
libipq.c:222: error: `NFPROTO_IPV6' undeclared (first use in this function)
Add the required includes.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This patch will support adding libiptc to the headers list in future.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/512281
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/511891
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
Reference: http://bugs.debian.org/514869
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
strlen ran over the end of the string. Use strnlen to bound it.
Reference: http://bugs.debian.org/513516
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| | |
Addendum to commit v1.4.3-rc1-41-g77f48c2 where the macro users
got moved.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| | |
libxtables uses dlopen, so *it* has to use -ldl, not the main program.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| | |
Commit v1.4.3-rc1-47-g300e290 tried to consolidate the environment
variable presence checking code into xtables.c, but missed
adding IP6TABLES_LIB_DIR to libxtables.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rename xtables_globals exit_error cb to exit_err and introduce
a very simple aliasing macro to point to it.
convert iptables, ip6tables and iptables_xml to use it.
Note iptables_xml does not have to define its own exit_error()
since it can use the basic one provided.
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replace direct exit_error() calls inside libxtables with
xt_params->exit_error().
With this change; i can now compile the useless app:
-----
#include <xtables.h>
int main(int argc, char **argv) {
return 0;
}
----
with "gcc useless.c -lxtables -ldl"
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|