summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* iptables 1.4.19.1 releasev1.4.19.1Pablo Neira Ayuso2013-05-291-1/+1
| | | | | | | Unfortunately, previous release was not included two patches that were applied by Florian recently. This release fixes it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.19Pablo Neira Ayuso2013-05-291-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: mention SNAT in INPUT chain since kernel 2.6.36Michael Roth2013-05-191-1/+10
| | | | | | | | SNAT in the INPUT chain was added Jun 2010 to the kernel (commit c68cd6cc21eb329c47ff020ff7412bf58176984e). Signed-off-by: Michael Roth <mail@mroth.net> Signed-off-by: Florian Westphal <fw@strlen.de>
* Revert "extensions: add connlabel match" duplicateFlorian Westphal2013-05-151-4/+0
| | | | | | | | | | This reverts commit ca376fcbe51b9a102a490545957d5fee69e253e1 to get rid of the duplicated install-data-hook. This should get the tree back into the right state. Conflicts: Makefile.am
* libxtables: fix parsing of dotted network mask formatPablo Neira Ayuso2013-05-091-3/+35
| | | | | | | | | | | | | | After upgrade from iptables 1.4.8 to 1.4.18 netmask parsing got broken: -A foo -m policy --mode tunnel --dir in --tunnel-src 192.168.123.0/255.255.255.0 -j RETURN With iptables 1.4.18: iptables-restore v1.4.18: policy: bad value for option "--tunnel-src", or out of range (0-32) This was probably broken by the augmented parser. Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: add connlabel matchFlorian Westphal2013-05-065-0/+266
| | | | | | | | | | | | | | allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
* extensions: add connlabel matchFlorian Westphal2013-05-061-0/+4
| | | | | | | | | | | | | | allows to "tag" connections with up to 128 label names. Labels are defined in /etc/xtables/connlabel.conf, example: 0 from eth0 1 via eth0 Labels can then be attached to flows, e.g. -A PREROUTING -i eth0 -m connlabel --label "from eth0" --set Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_conntrack: fix state match alias state parsingPatrick McHardy2013-04-261-10/+10
| | | | | | | | The conntrack match uses a different value for the UNTRACKED state than the state match. Translate states to conntrack states to make sure they all match. Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: libxt_multiport: Update manpage to list valid protocolsMart Frauenlob2013-04-191-4/+3
| | | | | | | | This patch updates the list of valid protocols in the man page section of the multiport match to: tcp, udp, udplite, dccp and sctp. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libxt_bpf: clarify --bytecode argumentPablo Neira Ayuso2013-04-191-1/+1
| | | | | | | | | Mart Frauenlob suggested a change to explain the --bytecode better. I have added some reference to the example bytecode in the format that this argument accepts. Reported-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* utils: updates .gitignore to include nfbpf_compilePablo Neira Ayuso2013-04-191-0/+1
| | | | | Reported-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_NFQUEUE: fix bypass option documentationFlorian Westphal2013-04-131-2/+2
| | | | | | | | | | Steve Caligo points out that the documentation says 'packet will move on to the next rule'. This is incorrect; packet moves to the next table. nf bugzilla #778. Signed-off-by: Florian Westphal <fw@strlen.de>
* libxt_recent: Fix missing space in manpage for --mask optionMart Frauenlob2013-04-061-1/+1
| | | | | Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'stable'Pablo Neira Ayuso2013-04-051-1/+1
|\ | | | | | | | | Resolve conflict with Nicolas' Dichtel update on utils/Makefile.am for nfnl_osf.
| * utils: nfnl_osf: use the right nfnetlink libNicolas Dichtel2013-04-051-1/+1
| | | | | | | | | | | | | | If the user specify libnfnetlink_LIBS during the configure, we must use it. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | utils: nfbpf_compileWillem de Bruijn2013-04-024-4/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A BPF compiler to convert tcpdump expressions to the decimal format accepted by the libxt_bpf. Generate a file and pass that to iptables: nfbpf_compile RAW 'udp dst port 9000' > test.bpf iptables -A OUTPUT -m bpf --bytecode-file test.bpf -j LOG Or pass the output directly to iptables using backticks: iptables -A INPUT -m bpf --bytecode \ "`./nfbpf_compile RAW 'udp dst port 9000'" -j LOG This utility depends on libpcap. The library is only compiled if the option --enable-bpf-compiler is explicitly passed to ./configure and libpcap is found. Pablo has mangled the original patch to rename the utility to nfbpf_compile. Also modified the output to match exactly what -m bpf --bytecode needs. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | extensions: add libxt_bpf extensionWillem de Bruijn2013-04-023-0/+203
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add user-space code to support the new BPF iptables extension. Pablo has mangled the original patch to: * include a copy of include/linux/netfilter/xt_bpf.h in the tree. * I have also remove the --bytecode-file option. The original proposal was to accept BPF code in a file in human readable format. Now, with the nfbpf_compile utility, it's very easy to generate the filter using tcpdump-like syntax. * I have remove the trailing comma in the backtick format, the parser works just fine for me here. * Fix error message if --bytecode is missing. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libip6t_DNPT: add manpagePablo Neira Ayuso2013-04-011-0/+30
| | | | | | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libip6t_SNPT: add manpagePablo Neira Ayuso2013-04-011-0/+30
|/ | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_osf: fix bad location for location in --genrePablo Neira Ayuso2013-03-291-1/+4
| | | | | | | closes http://bugzilla.netfilter.org/show_bug.cgi?id=805 Reported-by: Bourne Without <blackhole@airpost.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libxt_osf: fix missing --ttl and --log in save outputPablo Neira Ayuso2013-03-291-0/+4
| | | | | | | closes http://bugzilla.netfilter.org/show_bug.cgi?id=805 Reported-by: Bourne Without <blackhole@airpost.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip[6]tables: show --protocol instead of --proto in usageMart Frauenlob2013-03-292-2/+2
| | | | | | | | As the man page shows --protocol not --proto, also do so in the usage text displayed by ip[6]tables -h. Signed-off-by: Mart Frauenlob <mart.frauenlob@chello.at> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "build: resolve link failure for ip6t_NETMAP"Pablo Neira Ayuso2013-03-291-11/+7
| | | | | | | | | | | | | | | | | | This reverts commit 68e77a26111ee6b8f10c735a76891a7de6d57ee6. The use of libtool was introduced to resolve linking problems in NETMAP (IPv6 version), but that resulted in RPATH problems reported from distributors and warnings spotted by libtool at linking stage. Since (0ca548b libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependency) fixed the NETMAP issue, let's roll back to our previous stage. A small conflicts in extensions/GNUmakefile.in has been resolved in this revert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependencyPablo Neira Ayuso2013-03-295-7/+3
| | | | | | | | | This patch changes the NETMAP target extension (IPv6 side) to use the xtables_ip6mask_to_cidr available in libxtables. As a side effect, we get rid of the libip6tc dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump version to 1.4.18v1.4.18Pablo Neira Ayuso2013-03-031-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* doc: rpfilter: invert option should have own paragraphFlorian Westphal2013-02-171-0/+1
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* doc: iptables provides up to 5 independent tablesPablo Neira Ayuso2013-02-172-2/+2
| | | | | | | | | This closes bugzilla: http://bugzilla.netfilter.org/show_bug.cgi?id=807 Reported-by: Quentin Armitage <quentin@armitage.org.uk> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: bump SONAME for libxtablesJan Engelhardt2013-02-061-1/+1
| | | | | | | | | Commit v1.4.17-16-gefcdba4 updated structs in xtables.h, so age must become 0 and vcurrent be increased. The latter has already happened in v1.4.17-6-gd1e7922. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Merge branch 'master' of vishnu.netfilter.org:/data/git/iptablesJozsef Kadlecsik2013-01-313-0/+45
|\
| * doc: document nat table for IPv6Pablo Neira Ayuso2013-01-281-0/+7
| | | | | | | | | | | | Based on the IPv4 description. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| * Merge branch 'stable' into 'master'Pablo Neira Ayuso2013-01-282-0/+38
| |\
| | * extensions: S/DNPT: add missing save functionJan Engelhardt2013-01-282-0/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Jean-Michel DILLY reports that `ip6tables -S` exits with Target `DNPT' is missing save function when a DNPT rule is invoked. Fix this omission. References: http://marc.info/?l=netfilter&m=135904831220440&w=2 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | | Add the "state" alias to the "conntrack" matchJozsef Kadlecsik2013-01-283-4/+26
| | |
* | | Introduce match/target aliasesJozsef Kadlecsik2013-01-283-32/+52
|/ / | | | | | | | | The match/target alias allows us to support the syntax of matches, targets targets merged into other matches/targets.
* | doc: document the -4 and -6 optionsJan Engelhardt2013-01-072-0/+18
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: mention -m in the manpageJan Engelhardt2013-01-072-0/+14
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: name the supported log levels for ipt_LOGJan Engelhardt2013-01-072-2/+8
| | | | | | | | | | | | | | | | | | | | | | Leonardo Ferreira da Silva Boiko lets it be known that syslogd.conf may not exist on certain systems. Referencing that manpage is not a good idea in any case, I believe, since the strings that are accepted are defined by iptables and not a syslog implementation. References: http://bugs.debian.org/567564 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: document iptables-restore's -h optionJan Engelhardt2013-01-072-2/+8
| | | | | | | | | | | | References: http://bugs.debian.org/644221 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: document iptables-restore's -M optionJan Engelhardt2013-01-072-2/+12
| | | | | | | | | | | | References: http://bugs.debian.org/644221 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: document iptables-restore's -v optionJan Engelhardt2013-01-072-2/+8
| | | | | | | | | | | | References: http://bugs.debian.org/644221 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: document iptables-restore's -t optionJan Engelhardt2013-01-072-2/+8
| | | | | | | | | | | | References: http://bugs.debian.org/644221 Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | doc: fixup omissions in ip6tables-restore.8Jan Engelhardt2013-01-072-3/+5
| | | | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: add xtables_print_numPablo Neira Ayuso2013-01-044-89/+53
| | | | | | | | | | | | | | | | This function is used both by iptables and ip6tables, and refactorize to avoid longer than 80-chars per column lines of code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | libxtables: add xtables_rule_matches_freePablo Neira Ayuso2013-01-045-46/+28
| | | | | | | | | | | | This function is shared by iptables and ip6tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* | iptables: remove unused leftover definitionsPablo Neira Ayuso2013-01-041-16/+0
|/ | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNAT: set IPv6 DNAT --to-destinationUlrich Weber2013-01-041-5/+5
| | | | | | | as in IPv4 and fixes DNAT_save Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extension: libip6t_DNAT: allow port DNAT without addressUlrich Weber2013-01-042-6/+16
| | | | | | | | | | | | | | | | | | | | | | | correct parsing of IPv6 port NAT without address NAT, assume one colon as port information. Allows: * address only: -j DNAT --to affe::1 -j DNAT --to [affe::1] * port only -j DNAT --to :80 -j DNAT --to :80-110 -j DNAT --to []:80 -j DNAT --to []:80-110 * address and port -j DNAT --to [affe::1]:80 -j DNAT --to [affe::1]:80-110 Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libip6t_DNPT: fix wording in DNPT targetUlrich Weber2013-01-031-9/+9
| | | | | | | | | replaces SNPT by DNPT. This fixes broken help message that points to SNPT. Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* build: resolve link failure for ip6t_NETMAPJan Engelhardt2013-01-021-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | Link stage of libip6t_NETMAP failed since recently. CCLD libip6t_NETMAP.so /usr/lib64/gcc/x86_64-suse-linux/4.7/../../../../x86_64-suse-linux/bin/ld: cannot find -lip6tc libip6t_NETMAP.c uses the "ipv6_prefix_length" function from libip6tc.so; "-lip6tc" is used in the Makefile, but, the directory to it is not specified. Why does the link succeed for some people? Because /usr/lib(64)/libip6tc.so satisfies -lip6tc, but not all environments, especially those without iptables development files, have that file, hence this link error can happen. By suggestion of Mike Frysinger, this patch uses libtool to produce and link the plugins. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Acked-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* bump version to 1.4.17v1.4.17Pablo Neira Ayuso2012-12-251-1/+1
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>