summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iptables: Coverity: VARARGSJiri Popelka2011-06-221-3/+9
| | | | | | | | | xtables.c:931: va_init: Initializing va_list "args". xtables.c:938: missing_va_end: va_end was not called for "args". xtables.c:947: missing_va_end: va_end was not called for "args". xtables.c:961: missing_va_end: va_end was not called for "args". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: REVERSE_INULLJiri Popelka2011-06-223-6/+3
| | | | | | | | | | | | | | ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in". ip6tables-restore.c:463: check_after_deref: Dereferencing "in" before a null check. iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in". iptables-restore.c:468: check_after_deref: Dereferencing "in" before a null check. iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in". iptables-xml.c:873: check_after_deref: Dereferencing "in" before a null check. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: NEGATIVE_RETURNSJiri Popelka2011-06-221-1/+0
| | | | | | | | libipq.c:232: var_tested_neg: Variable "h->fd" tests negative. libipq.c:234: negative_returns: "h->fd" is passed to a parameter that cannot be negative. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: DEADCODEJiri Popelka2011-06-221-3/+1
| | | | | | | | | | | | | | | | libiptc.c:407: dead_error_condition: On this path, the condition "res > 0" cannot be false. libiptc.c:396: at_least: After this line, the value of "res" is at least 1. libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as false. libiptc.c:396: new_values: Noticing condition "res < 0". libiptc.c:425: new_values: Noticing condition "res < 0". libiptc.c:407: new_values: Noticing condition "res > 0". libiptc.c:435: dead_error_line: Execution cannot reach this statement "return list_pos;". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: bump soversion for recent data structure changeJan Engelhardt2011-06-221-1/+1
| | | | | | Cf. commit v1.4.11.1-5-g2dba676. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: use a more obvious expiry value by defaultJan Engelhardt2011-06-222-16/+46
| | | | | | | | | | Due to the previous default expiry of 10 sec, "--hashlimit 1/min" would allow matching up to 6/min if a properly timed. To do what the user expects, the minimum expiry must equal the selected time quantum however. Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_state: fix regression about inversion of main optionJan Engelhardt2011-06-222-1/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_HL: fix option names from ttl -> hlJan Engelhardt2011-06-222-5/+17
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_RATEEST: abolish global variablesJan Engelhardt2011-06-211-7/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_rateest: abolish global variablesJan Engelhardt2011-06-211-9/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: support for per-extension instance "global" variable spaceJan Engelhardt2011-06-213-3/+37
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: consolidate target/match init callJan Engelhardt2011-06-214-14/+22
| | | | | | | This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_RATEEST: use guided option parserJan Engelhardt2011-06-211-64/+30
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_LOG: fix ignoring all but last flagsJan Engelhardt2011-06-213-10/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: include matches/targets in manpage againJan Engelhardt2011-06-091-2/+2
| | | | | | | Evil sed did not throw any warning whatsoever when it cannot find the file. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump version to 1.4.11.1v1.4.11.1Patrick McHardy2011-06-081-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: fix MASQUERADE section of man pageVlad Dogaru2011-06-081-1/+1
| | | | | | | | The section about MASQUERADE specifies that it takes a single option, but in reality it takes two: --to-ports and --random. Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: re-add missing CPPFLAGS for libiptcJan Engelhardt2011-06-081-0/+3
| | | | | | | | | | These got lost on commit v1.4.11-12-g5c8f5b6. Note: When /usr/include/libiptc/libiptc.h exists, this error is masked away :-/ (IMO, #include-with-quotes "foo.h" should not search system dirs...) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* option: fix ignored negation before implicit extension loadingJan Engelhardt2011-06-075-8/+20
| | | | | | | | | | | | `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* tests: add some sample rulesets to test save-restore cycleJan Engelhardt2011-06-072-0/+222
| | | | | | | | | These rulesets use practically all options (I may have missed some) for verification that the new Guided Option Parser would take the same input as the old open-coded ones did. They might come in handy at some point. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-0733-81/+84
| | | | | | (Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all libiptc pieces into its directoryJan Engelhardt2011-06-076-17/+18
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables-multi: fix absence of xml translator in IPv6-only buildsMaciej Żenczykowski2011-06-075-7/+14
| | | | | | | | Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code into the xtables-multi binary. Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix trivial typo in libipt_SNATElie De Brauwer2011-06-011-1/+1
| | | | | | | The word "occur" had ufortunately been removed in v1.3.8~23. References: http://bugzilla.netfilter.org/show_bug.cgi?id=707 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move remaining preprocessor flags to CPPFLAGSMike Frysinger2011-06-014-8/+8
| | | | | References; http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move kinclude's preprocessor flags to kinclude_CPPFLAGSJan Engelhardt2011-06-013-9/+9
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move basic preprocessor flags to regular_CPPFLAGSJan Engelhardt2011-06-015-7/+14
| | | | | | | This is where they belong, after all. References: http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: iptables-xml should be in manpage section 1Jan Engelhardt2011-05-302-1/+1
| | | | | References: http://bugs.debian.org/623112 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: update GPL license textJan Engelhardt2011-05-301-21/+21
| | | | | | | | | | | | | | The Open Build Service/rpmlint flagged the outdated address in the license text :-) iptables.x86_64: W: incorrect-fsf-address /usr/share/doc/packages/iptables/COPYING The Free Software Foundation address in this file seems to be outdated or misspelled. Ask upstream to update the address, or if this is a license file, possibly the entire file with a new copy available from the FSF. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix absence of xml translator in IPv6-only buildsJan Engelhardt2011-05-301-2/+2
| | | | | | | Due to iptables-xml being listed under IPV4 only, its symlink was not created on `./configure --disable-ipv4 && make install`. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix installation of symlinksJan Engelhardt2011-05-301-3/+3
| | | | | | | Commit v1.4.11~20 forgot to change the symlink target names to the new executable name. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove dead code partsJan Engelhardt2011-05-303-10/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags no-op code. CC libiptc/libip4tc.lo In file included from libiptc/libip4tc.c:118:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC libiptc/libip6tc.lo In file included from libiptc/libip6tc.c:113:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC xtables_multi-iptables-xml.o iptables-xml.c: In function "do_rule_part": iptables-xml.c:376:8: warning: variable "thisChain" set but not used CC xtables_multi-ip6tables.o ip6tables.c: In function "print_firewall": ip6tables.c:552:10: warning: variable "flags" set but not used Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_owner: restore inversion supportJan Engelhardt2011-05-291-2/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump version to 1.4.11v1.4.11Patrick McHardy2011-05-261-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-2524-292/+348
|\
| * libxt_time: deprecate --localtz option, document kernel TZ caveatsJan Engelhardt2011-05-252-18/+45
| | | | | | | | | | | | | | | | | | | | | | | | Comparing against the kernel time zone has significant caveats. This patch adds documentation about the issue, and makes --utc the default setting for libxt_time. Furthremore, throw a warning on using the "--localtz" option, to avoid confusion with one's shell TZ environment variable, and rename it to "--kerneltz" to be explicit about whose timezone will be used. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_time: --utc and --localtz are mutually exclusiveJan Engelhardt2011-05-251-2/+6
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_time: always ignore libc timezoneJan Engelhardt2011-05-251-1/+7
| | | | | | | | | | | | | | | | | | Since xt_time is meant to work across many months, libc doing automatic conversion from local time to UTC (during parse) is unwanted, especially when --utc is specified. The same goes for dumping. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_NFQUEUE: add mutual exclusion between qnum and qbalJan Engelhardt2011-05-251-2/+5
| | | | | | | | | | | | | | Only one is printed on save operation, which leads me to believe that only one is meant to be used. The manpage seems to corroborate. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_NFQUEUE: avoid double attempt at parsingJan Engelhardt2011-05-251-4/+1
| | | | | | | | | | | | | | | | Fixes this error: NFQUEUE: option "--queue-num" can only be used once. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: have xtopt_parse_mint interpret partially-spec'd rangesJan Engelhardt2011-05-258-119/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | When ":n" or "n:" is specified, it will now be interpreted as "0:n" and "n:<max>", respecitvely. nvals will always reflect the number of (expanded) components. This restores the functionality of options that take such partially-unspecified ranges. This makes it possible to nuke the per-matchdata init functions of some extensions and simply the extensions postparsing to the point where it only needs to check for nvals==1 or ==2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: unclutter xtopt_parse_mintJan Engelhardt2011-05-241-54/+94
| | | | | | | | | | | | ..by moving type-based actions into their own function. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: make multiint parser have greater rangeJan Engelhardt2011-05-241-11/+27
| | | | | | | | | | | | | | | | Since parse_mint can handle XTTYPE_UINT64RC, it must allow numbers larger than UINT32_MAX. Cc: JP Abgrall <jpa@google.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: use uintmax for xtables_strtoulJan Engelhardt2011-05-243-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Addendum to 2305d5fb42fc059f38fc1bdf53411dbeecdb310b. I noticed that unsigned long long is not consistently used, for example, min/max are still just unsigned long, and strtoul is being called. Instead of changing it to unsigned long long, just use uintmax functions right away so this does not need size-related changing in the future. Cc: JP Abgrall <jpa@google.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: more detailed error message on multi-int parsingJan Engelhardt2011-05-241-4/+5
| | | | | | | | | | | | Now shows where exactly the error is. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libip6t_rt: restore --rt-type storingJan Engelhardt2011-05-241-2/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_u32: --u32 option is requiredJan Engelhardt2011-05-241-1/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_ipvs: restore network-byte orderJan Engelhardt2011-05-241-2/+4
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: remove redundant .IP calls in libxt_timeJan Engelhardt2011-05-241-6/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * doc: use .IP list for TCPMSSJan Engelhardt2011-05-241-10/+4
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>