| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Finding jump chains is slow O(Chain*Rules).
The problem:
is that the chain list is searched lineary for each rule with a jump
target. The problem lies in the "second pass" (of function
parse_table) where the userchain jump targets are found. For each
rule "R" with a IPTCC_R_JUMP target, function
iptcc_find_chain_by_offset() searches through the chains "C" in the
chain list (worst-case hitting the last one).
The solution:
in this patch is to speed up iptcc_find_chain_by_offset() by using
binary search. Reducing complexity from O(C) to O(log C).
Implementation:
Its possible to use the same bsearch algorithm and data structure
(chain_index), as used for chain name searching.
How is that possible:
One has to realize that the chains are both sorted by name and
offsets, this is because the chains are already sorted in the ruleset
from the kernel.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Minor bugfix, an extra check is needed if the tail element is a
builtin chain, as builtin chains are not sorted.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
- synchronized iptables--ip6tbales manpages
- -S option, list of chain names, protocol names
- markup updates
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
- do not remove autogen.sh
- remove COMMIT_NOTES - it does not apply to git anymore
- create SHA1 sums for tarballs and patches
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Only when a 'stop' pointer is passed, the string may consist of more
than just a number.
Reported-by: Anonymous
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Remove the check from configure.ac that errors out when ip6.h is not
found. The code does not actually depend on any structures from it.
Reported-by: anonymous
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
Michael used GNU bash, version 1.14.7(1), which apparently does not
seem to know about the double ("==") variant of equality tests.
Reported-by: Michael Teicher <mteicher@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
| |
Add missing .txt extension.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The --src-range and --dst-range parameters did not set the IPRANGE_*
flags in struct xt_iprange_mtinfo.
Reported-by: Maxim Britov <maxim.britov@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Commit bb34082d ("iptables --list chain rulenum") broke the line
numbering, starting with printing an offset of 2.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
When --disable-shared is used, there are no .so files to install, and
the argument order for install would get messed up.
Reported-by: Michael Teicher <mteicher@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A number of options support negation, but the manpage did not reflect
this ("[!]" was absent). Also fix a few [] (optional arguments) to {}
(required arguments) in the option-BNF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
- Using plain integer as NULL pointer
- Undeclared non-static variables
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
It could happen that --<arg><value> was printed on iptables-save with
owner rules (owner_mt_save() function) without the obligatory space
inbetween. Also transfer printing of the space character into
owner_mt_print_item().
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In revision 1 address type checking can be limited to either the
incoming or outgoing interface depending on the current chain. In
the FORWARD chain only one of them is allowed at the same time.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
The _save functions need to use the same syntax that is used for parsing
the input instead of "user readable" output.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
linux/dccp.h is unlikely to be installed before 2.6.18 (which was
when headers_install was introduced), and does not exist at all
before 2.6.14. Add a compile-time check to skip compilation of
libxt_dccp in case this was detected.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Resync headers and add types.h file for endian annotated types, which
are not available with old headers.
|
| |
|
|
|
|
|
| |
Spotted by Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Attached is a patch to add the new defines. The macro XTABLES_VERSION
is already in use, so I named it XTABLES_VERSION_CHECK. I've also tested
that an empty XTABLES_VERSION_EXTRA in configure.ac works.
Now we can write code like this:
#warning You are obselete and will be assimilated.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
In the manpages, bold is used to denote characters the user has to
enter verbatim, italic denotes placeholders and non-highlighted
pieces are used as a structure: "[]" specifying an optional part,
"{}" a mandatory part, with "|" used for alternations. The "!" for
negation is better supported before the option than after it, too.
The patch makes a few files consistent with this style already used
in manpages.
|
| | |
|
| |
|
|
|
|
| |
Fixes Bugzilla 482.
Signed-off-by: Kristof Provost <kristof@sigsegv.be>
|
| |\ |
|
| | |
| |
| |
| |
| | |
Actually its not a bump but a decrease, the autoconf patches
apparently sneaked it a version bump to 1.4.1 already.
|
| |/
|
|
|
|
|
|
| |
The new iptables git version assumes /bin/sh is always GNU bash,
that's not the case (Ubuntu 8.04 uses dash), see attachment
for a fix.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464244
ip6tables improperly displays the destination address when the address
is longer than 18 characters. Here is example output:
...
DROP tcp 2001:db8::/32 2001:db8:3:4:5:6:7:8/128tcp spt:25
...
Proper formatting should have a space between '2001:db8:3:4:5:6:7:8/128'
and 'tcp'.
Signed-off-by: Jamie Strandboge <jamie@ubuntu.com>
Signed-off-by: Lawrence J. Lane <ljlane@debian.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Here is the --set-counters syntax patch requested earlier today making
--set-counters (-c) accept comma separated counts.
-c packets,bytes
I have not updated the manpage to reflect this alternate syntax for the
--set-counters (-c) option.
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Excent --list (and --list-rules) to allow selection of a single rule
number
iptables --list INPUT 4
iptables --list-rules INPUT 4
list rule number 4 in INPUT.
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds iptables --list-rules (-S) command, acting as a combination of
iptables --list and iptables-save.
The primary motivation behind this patch is to get iptables-save like
output capabilities in iptables-restore, allowing "iptables-restore -n"
to be used as a consistent API to iptables for all kind of operations,
not only blind updates..
As a bonus iptables also gets the capability of printing the rules
as-is.
This completely replaces the earlier patch which added the --rules
option.
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
|
|
|
|
|
| |
Adds support for setting the policy counters
iptables -P INPUT -J DROP -c 10 20
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
|
|
|
|
|
| |
The attached patch flushes stdout between commands to make output
operations (-L etc) in iptables-restore usable over a pipe. stdio by
defaut buffers output if not connected to a terminal.
Henrik Nordstrom <henrik@henriknordstrom.net>
|
| |
|
|
|
|
|
| |
Reported by: Henrik Nordstrom
When xtables.h is not already found in /usr/include, compilation
would fail when ${top_srcdir} != ${top_builddir}.
|
| | |
|
| |
|
|
|
|
| |
The following code is never be used. It should be removed.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
|
| |
|
|
| |
Also resync error handling with iptables.
|
| | |
|
| | |
|
