| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
Fixes this compile error:
CC nfnl_osf.o
nfnl_osf.c:48:36: fatal error: linux/netfilter/xt_osf.h: No such file or directory
compilation terminated.
References: http://marc.info/?l=netfilter&m=127449929621579&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
| |
This reverts commit 110c1e4502e21ea38e0980e6f8af857d24330099.
Revert the revert to restore the TEE target.
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
This reverts commit 65414babaebcd403e9bf2c27d9d74adb369bf3aa, reversing
changes made to 7278461dfad72e2008585dd0bac0e889e5bba99e.
Forgot to commit the version increase.
|
|\ |
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | | |
xt_TEE is firstly included in Linux 2.6.35.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
such port range errors as "1a-2" and "1-2a".
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| | |
| | |
| | |
| | |
| | | |
Reported by yang.xuhui@jfsys.com.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Found by gcc -Wmissing-noreturn.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rewrite port range validator to use xtables_strtoui() and
xtables_param_act(). Original check failed to recognize
several types of port range errors, including:
"-1", "-1a", "-1-a", "a-1", "1a-2", "1-2a", etc.
Also, original parser erroneously denied using port 0,
which is now allowed.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many toolchains for embedded systems don't have largefile support:
usr/include/features.h:383:4: error: #error It appears you have defined _FILE_OFFSET_BITS=64. Unfortunately, uClibc was built without large file support enabled.
In file included from /build_armeb/staging_dir/usr/include/stdio.h:72,
from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/bits/uClibc_stdio.h:72:2: error: #error Sorry... uClibc was built without large file support!
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:83: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'fpos_t'
In file included from libiptc/libip4tc.c:18:
/build_armeb/staging_dir/usr/include/stdio.h:709: error: expected declaration specifiers or '...' before 'fpos_t'
/build_armeb/staging_dir/usr/include/stdio.h:711: error: expected ';', ',' or ')' before '*' token
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
| |
| |
| |
| | |
Signed-off-by: Simon Lodal <simonl@parknet.dk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch fixes the following problem:
# iptables -t raw -I PREROUTING -t raw -j CT --ctevents assured
iptables v1.4.7: Unknown event type "assured"
Try `iptables -h' or 'iptables --help' for more information.
However, `assured' is one of the supported arguments for --ctevents.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
iprange_parse() was incomplete and did not include parsed ranges into
ipt_iprange_info structure resulting in always adding range
0.0.0.0-0.0.0.0 in the kernel.
Moreover, when using --dst-range, error messages may display
--src-range instead. Fix this too.
Signed-off-by: Vincent Bernat <bernat@luffy.cx>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
| |
xt_osf is pretty useless without the actual fingerprint loader. Import
nfnl_osf-2009-06-07 and make it a part of the iptables distribution.
Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
| |
There was no real restriction, and in fact, the kernel module never
had such a limitation in the last years.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
MARK used to be limited to the mangle table, but there was no real
restriction.
References: http://marc.info/?l=netfilter-devel&m=126806510332668&w=2
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
Since libxt_comment.man is included in both iptables.8 and
ip6tables.8, we should probably try to create examples that do not
rely on either address family.
References: http://bugs.debian.org/572628
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
| |
Change dump_entry() signature defined in libip4tc.c to match prototype
declared in libiptc.c and another static dump_entry() function defined
in libip6tc.c. This function is not a part of the public libiptc API.
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
| |
The kernel has few restrictions.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the shipped Linux kernel headers from 2.6.33-rc6, as
iptables's ipt_ECN.h for example references ipt_DSCP.h, which no
longer exists.
Since a number of old code pieces have been removed in the kernel in
that fashion, the structs for older versions are moved into the .c
file, to keep header updating simple.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561177
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561179
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
| |
References: https://bugzilla.novell.com/561180
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
| |
Antique software (see link) built as shared library requires objects
compiled with -fPIC, so the standard archive won't do.
References: http://bugs.debian.org/527733
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Sometimes there are users who wonder about when name resolutions/DNS
queries are done, so let's add that for completeness.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The two commands:
-A OUPUT -d 10.11.12.13/32 -j LOG
-R OUTPUT 1 -j LOG -d 10.11.12.13
will replace 10.11.12.13/32 by 10.11.12.13/0, which is not right.
(No regression, this problem was there forever.)
Reported-by: Werner Pawlitschko <werner.pawlitschko@arcor.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Using ranges in --ctexpire results in a parsing error:
conntrack: Bad value for "--expires" option: "1:1000"
The first value is parsed twice, after which the end pointer doesn't
point to the expected '\0' but to the colon.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|/
|
|
|
|
| |
From Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
| |
Specifying --random before --to-dest results in:
Multiple --to-destination not supported
Fix the flags check to only test the IPT_DNAT_OPT_DEST bit.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using a bundled option like "-ptcp", 'argv[optind-1]' would
logically point to "-ptcp", but this is obviously not right.
'optarg' is needed instead, which if properly offset to "tcp".
Not all places change optind-based access to optarg; where
look-ahead is needed, such as for tcp's --tcp-flags option for
example, optind is ok.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
| |
In going to fix NF bug #611, "argv" is needed in
xtables_check_inverse to set "optarg" to the right spot in case of an
intrapositional negation.
References: http://bugzilla.netfilter.org/show_bug.cgi?id=611
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mask created for the -D rulespec is simply too small.
xtables_targets points to whatever target has last been loaded, so
xtables_targets->size is quite almost wrong, as we need to use the
size of the target for the specific rule that is about to be deleted.
This bug existed ever since iptables history is tracked, and requires
certain circumstances to be visible, where the deletion operation is
one. Furthermore, multiple userspace target extensions must have been
loaded, and a target B whose .size is smaller than the target A of
the rule we are about to delete must have been loaded more recently
than target A. The minimal testcase is (rule 60007 gets wrongly
removed)
*nat
-F
-X
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60007
-A POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
-A POSTROUTING -p udp -j CONNMARK --set-mark 0
-D POSTROUTING -p udp -j SNAT --to 192.168.1.1:60008
COMMIT
References: http://bugzilla.netfilter.org/show_bug.cgi?id=606
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a ruleset that does not reset any chain policies/counters, such as
*filter
COMMIT
is sourced by iptables-restore, the previous policy and counters
(i.e. the ones read from the kernel) are reused. The counter skew
offsetting is wrong however, causing the read value to be readded to
the kernel value. This manifests itself in practice by the counter
value almost doubling everytime iptables-restore is called.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
|