summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* doc: the -m option cannot be invertedJan Engelhardt2011-07-042-6/+0
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix version string in ip6tables.8Jan Engelhardt2011-07-041-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: install modules in arch-dependent locationJan Engelhardt2011-07-042-2/+2
| | | | | | | Make it possible to have multiple types of ELF classes for the extension modules by putting them in an arch-dependent path. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: mention multiple verbosity flagsJan Engelhardt2011-06-302-2/+4
| | | | | | | | "-vv" can be used to further increase the verbosity level. Document this. References: http://bugs.debian.org/616037 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables-apply: select default rule file depending on call nameMartin F. Krafft2011-06-301-12/+13
| | | | | | | | | | ip6tables-apply points to iptables-apply (which is good). Since iptables/ip6tables rule files are different, the reporter suggests that the DEFAULT_FILE variable should depend on whether iptables-apply or ip6tables-apply is run. References: http://bugs.debian.org/547734 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: attempt to fix building under Linux 2.4Jan Engelhardt2011-06-242-4/+7
| | | | | | | | | | | | | | | | iptables no longer compiles for Linux 2.4 because it uses linux/magic.h. This header and the PROC_SUPER_MAGIC macro are only for Linux 2.6. xtables.c:35:52: error: linux/magic.h: No such file or directory xtables.c: In function 'proc_file_exists': xtables.c:389: error: 'PROC_SUPER_MAGIC' undeclared (first use in this function) xtables.c:389: error: (Each undeclared identifier is reported only once for each function it appears in.) References: http://bugzilla.netfilter.org/show_bug.cgi?id=720 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix group range in libxt_NFLOG's manJakub Zawadzki2011-06-241-1/+1
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=723 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_RATEEST: fix userspacesize fieldMassimo Maggi2011-06-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I cannot delete a rule by matching it if the target of the rule is RATEEST. Copy-paste from terminal: # iptables -t mangle -A PREROUTING -j RATEEST --rateest-name somename --rateest-interval 250ms --rateest-ewmalog 4s # iptables -t mangle -D PREROUTING -j RATEEST --rateest-name somename --rateest-interval 250ms --rateest-ewmalog 4s iptables: No chain/target/match by that name. I saw in comments of the kernel code that the last part of the struct xt_rateest_target_info is used only by kernel: struct xt_rateest_target_info { char name[IFNAMSIZ]; __s8 interval; __u8 ewma_log; /* Used internally by the kernel */ struct xt_rateest *est __attribute__((aligned(8))); }; but in struct xtables_target, .size and .userspacesize are equal. Simply correcting this solved the problem. References: http://bugzilla.netfilter.org/show_bug.cgi?id=724 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: RESOURCE_LEAKJiri Popelka2011-06-221-0/+1
| | | | | | | | | | | | | | | xtables.c:320: alloc_fn: Calling allocation function "get_modprobe". xtables.c:294: alloc_fn: Storage is returned from allocation function "malloc". xtables.c:294: var_assign: Assigning: "ret" = "malloc(1024UL)". xtables.c:304: return_alloc: Returning allocated memory "ret". xtables.c:320: var_assign: Assigning: "buf" = storage returned from "get_modprobe()". xtables.c:323: var_assign: Assigning: "modprobe" = "buf". xtables.c:348: leaked_storage: Variable "buf" going out of scope leaks the storage it points to. xtables.c:348: leaked_storage: Returning without freeing "modprobe" leaks the storage that it points to. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: VARARGSJiri Popelka2011-06-221-3/+9
| | | | | | | | | xtables.c:931: va_init: Initializing va_list "args". xtables.c:938: missing_va_end: va_end was not called for "args". xtables.c:947: missing_va_end: va_end was not called for "args". xtables.c:961: missing_va_end: va_end was not called for "args". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: REVERSE_INULLJiri Popelka2011-06-223-6/+3
| | | | | | | | | | | | | | ip6tables-restore.c:186: deref_ptr_in_call: Dereferencing pointer "in". ip6tables-restore.c:463: check_after_deref: Dereferencing "in" before a null check. iptables-restore.c:192: deref_ptr_in_call: Dereferencing pointer "in". iptables-restore.c:468: check_after_deref: Dereferencing "in" before a null check. iptables-xml.c:671: deref_ptr_in_call: Dereferencing pointer "in". iptables-xml.c:873: check_after_deref: Dereferencing "in" before a null check. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: NEGATIVE_RETURNSJiri Popelka2011-06-221-1/+0
| | | | | | | | libipq.c:232: var_tested_neg: Variable "h->fd" tests negative. libipq.c:234: negative_returns: "h->fd" is passed to a parameter that cannot be negative. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: DEADCODEJiri Popelka2011-06-221-3/+1
| | | | | | | | | | | | | | | | libiptc.c:407: dead_error_condition: On this path, the condition "res > 0" cannot be false. libiptc.c:396: at_least: After this line, the value of "res" is at least 1. libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as false. libiptc.c:396: new_values: Noticing condition "res < 0". libiptc.c:425: new_values: Noticing condition "res < 0". libiptc.c:407: new_values: Noticing condition "res > 0". libiptc.c:435: dead_error_line: Execution cannot reach this statement "return list_pos;". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: bump soversion for recent data structure changeJan Engelhardt2011-06-221-1/+1
| | | | | | Cf. commit v1.4.11.1-5-g2dba676. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_hashlimit: use a more obvious expiry value by defaultJan Engelhardt2011-06-222-16/+46
| | | | | | | | | | Due to the previous default expiry of 10 sec, "--hashlimit 1/min" would allow matching up to 6/min if a properly timed. To do what the user expects, the minimum expiry must equal the selected time quantum however. Cc: Jan Rovner <jan.rovner@diadema.cz> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_state: fix regression about inversion of main optionJan Engelhardt2011-06-222-1/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip6t_HL: fix option names from ttl -> hlJan Engelhardt2011-06-222-5/+17
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_RATEEST: abolish global variablesJan Engelhardt2011-06-211-7/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_rateest: abolish global variablesJan Engelhardt2011-06-211-9/+3
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: support for per-extension instance "global" variable spaceJan Engelhardt2011-06-213-3/+37
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: consolidate target/match init callJan Engelhardt2011-06-214-14/+22
| | | | | | | This is useful for the upcoming patch about per-instance auxiliary data. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_RATEEST: use guided option parserJan Engelhardt2011-06-211-64/+30
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_LOG: fix ignoring all but last flagsJan Engelhardt2011-06-213-10/+12
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: include matches/targets in manpage againJan Engelhardt2011-06-091-2/+2
| | | | | | | Evil sed did not throw any warning whatsoever when it cannot find the file. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump version to 1.4.11.1v1.4.11.1Patrick McHardy2011-06-081-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* doc: fix MASQUERADE section of man pageVlad Dogaru2011-06-081-1/+1
| | | | | | | | The section about MASQUERADE specifies that it takes a single option, but in reality it takes two: --to-ports and --random. Signed-off-by: Vlad Dogaru <ddvlad@rosedu.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* build: re-add missing CPPFLAGS for libiptcJan Engelhardt2011-06-081-0/+3
| | | | | | | | | | These got lost on commit v1.4.11-12-g5c8f5b6. Note: When /usr/include/libiptc/libiptc.h exists, this error is masked away :-/ (IMO, #include-with-quotes "foo.h" should not search system dirs...) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* option: fix ignored negation before implicit extension loadingJan Engelhardt2011-06-075-8/+20
| | | | | | | | | | | | `iptables -A INPUT -p tcp ! --syn` forgot the negation, i.e. it was not present in a subsequent `iptables -S`. Commit v1.4.11~77^2~9 missed the fact that after autoloading a proto extension, cs.invert must not be touched until the next getopt call. This is now fixed by having command_default return a value to indicate whether to jump or not. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* tests: add some sample rulesets to test save-restore cycleJan Engelhardt2011-06-072-0/+222
| | | | | | | | | These rulesets use practically all options (I may have missed some) for verification that the new Guided Option Parser would take the same input as the old open-coded ones did. They might come in handy at some point. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all iptables pieces into a separate directoryJan Engelhardt2011-06-0733-81/+84
| | | | | | (Unclutter top-level dir) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all libiptc pieces into its directoryJan Engelhardt2011-06-076-17/+18
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* xtables-multi: fix absence of xml translator in IPv6-only buildsMaciej Żenczykowski2011-06-075-7/+14
| | | | | | | | Commit v1.4.11-4-gde791ff did not actually build the iptables-xml code into the xtables-multi binary. Signed-off-by: Maciej Zenczykowski <maze@google.com> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: fix trivial typo in libipt_SNATElie De Brauwer2011-06-011-1/+1
| | | | | | | The word "occur" had ufortunately been removed in v1.3.8~23. References: http://bugzilla.netfilter.org/show_bug.cgi?id=707 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move remaining preprocessor flags to CPPFLAGSMike Frysinger2011-06-014-8/+8
| | | | | References; http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move kinclude's preprocessor flags to kinclude_CPPFLAGSJan Engelhardt2011-06-013-9/+9
| | | | | References: http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: move basic preprocessor flags to regular_CPPFLAGSJan Engelhardt2011-06-015-7/+14
| | | | | | | This is where they belong, after all. References: http://bugzilla.netfilter.org/show_bug.cgi?id=713 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: iptables-xml should be in manpage section 1Jan Engelhardt2011-05-302-1/+1
| | | | | References: http://bugs.debian.org/623112 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* doc: update GPL license textJan Engelhardt2011-05-301-21/+21
| | | | | | | | | | | | | | The Open Build Service/rpmlint flagged the outdated address in the license text :-) iptables.x86_64: W: incorrect-fsf-address /usr/share/doc/packages/iptables/COPYING The Free Software Foundation address in this file seems to be outdated or misspelled. Ask upstream to update the address, or if this is a license file, possibly the entire file with a new copy available from the FSF. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix absence of xml translator in IPv6-only buildsJan Engelhardt2011-05-301-2/+2
| | | | | | | Due to iptables-xml being listed under IPV4 only, its symlink was not created on `./configure --disable-ipv4 && make install`. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: fix installation of symlinksJan Engelhardt2011-05-301-3/+3
| | | | | | | Commit v1.4.11~20 forgot to change the symlink target names to the new executable name. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove dead code partsJan Engelhardt2011-05-303-10/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags no-op code. CC libiptc/libip4tc.lo In file included from libiptc/libip4tc.c:118:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC libiptc/libip6tc.lo In file included from libiptc/libip6tc.c:113:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC xtables_multi-iptables-xml.o iptables-xml.c: In function "do_rule_part": iptables-xml.c:376:8: warning: variable "thisChain" set but not used CC xtables_multi-ip6tables.o ip6tables.c: In function "print_firewall": ip6tables.c:552:10: warning: variable "flags" set but not used Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxt_owner: restore inversion supportJan Engelhardt2011-05-291-2/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Bump version to 1.4.11v1.4.11Patrick McHardy2011-05-261-1/+1
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Merge branch 'master' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-2524-292/+348
|\
| * libxt_time: deprecate --localtz option, document kernel TZ caveatsJan Engelhardt2011-05-252-18/+45
| | | | | | | | | | | | | | | | | | | | | | | | Comparing against the kernel time zone has significant caveats. This patch adds documentation about the issue, and makes --utc the default setting for libxt_time. Furthremore, throw a warning on using the "--localtz" option, to avoid confusion with one's shell TZ environment variable, and rename it to "--kerneltz" to be explicit about whose timezone will be used. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_time: --utc and --localtz are mutually exclusiveJan Engelhardt2011-05-251-2/+6
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_time: always ignore libc timezoneJan Engelhardt2011-05-251-1/+7
| | | | | | | | | | | | | | | | | | Since xt_time is meant to work across many months, libc doing automatic conversion from local time to UTC (during parse) is unwanted, especially when --utc is specified. The same goes for dumping. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_NFQUEUE: add mutual exclusion between qnum and qbalJan Engelhardt2011-05-251-2/+5
| | | | | | | | | | | | | | Only one is printed on save operation, which leads me to believe that only one is meant to be used. The manpage seems to corroborate. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxt_NFQUEUE: avoid double attempt at parsingJan Engelhardt2011-05-251-4/+1
| | | | | | | | | | | | | | | | Fixes this error: NFQUEUE: option "--queue-num" can only be used once. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libxtables: have xtopt_parse_mint interpret partially-spec'd rangesJan Engelhardt2011-05-258-119/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | When ":n" or "n:" is specified, it will now be interpreted as "0:n" and "n:<max>", respecitvely. nvals will always reflect the number of (expanded) components. This restores the functionality of options that take such partially-unspecified ranges. This makes it possible to nuke the per-matchdata init functions of some extensions and simply the extensions postparsing to the point where it only needs to check for nvals==1 or ==2. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>