| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Update multiport match to use the iptables version of proto_to_name
instead of reinventing the wheel.
|
| |
|
|
|
|
|
|
|
| |
Correcting a chain references increment bug in libiptc.
The bug lies in function iptc_delete_entry() / TC_DELETE_ENTRY. The
problem is the construction of "r" the rule entry, that is used for
comparison. The problem is that the function iptcc_map_target()
increase the target chains references count.
|
| |
|
|
|
| |
The below patch (dependent upon my 'reduce service_to_port duplication' patch)
centralizes the parse_*_port functions into parse_port.
|
| |
|
|
|
| |
The service_to_port function is used in a number of places, and could
benefit from some centralization instead of being duplicated everywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As suggested by Dmitry Levin and included in Fedora Core releases,
use gcc instead of ld to link shared objects. Fedora rpm notes
refer to this fixing a plugin problem, but does not offer specifics.
But in any event, 'gcc -dumpspecs' does show gcc will pass a number
of parameters which in theory it thinks are better.
Compile tested both with and without NO_SHARED_LIBS.
Closes bug #454.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At present, a command such as
iptables -A foo -s 10.10/16
will interpret 10.10/16 as 10.0.0.10/16, and after applying the mask end
up with 10.0.0.0/16, which likely isn't what the user intended. Yet
some people do expect 10.10 (without the cidr notation) to end up as
10.0.0.10.
The below patch should satisfy all parties. It zero pads the missing
octets only in the cidr case, leaving the IP untouched otherwise.
This resolves bug #422
|
| |
|
|
| |
Remove "hoho" message :)
|
| |
|
|
|
| |
As reported by Dmitry Levin, the TC_NUM_RULES and TC_GET_RULE exports
clash. His patch below, resolving bug #456
|
| |
|
|
|
|
| |
- Don't allow multiple --icmp-type/icmpv6-type
(Closes: #461)
|
| |
|
|
|
|
|
|
|
|
| |
Update the manpage for ip6tables multiport match to reflect
reality -- it does not (yet) support x:y syntax. I looked at
adding it, but adding revision support to ip6tables seems a
waste at this point, since once xtables support is added to
iptables, this problem will resolve itself.
Closes bug #451.
|
| |
|
|
|
|
|
|
|
|
|
| |
Cleanup a few compile warnings in latest snapshot:
extensions/libipt_dscp_helper.c:69: warning: 'dscp_to_name' defined but not used
extensions/libipt_sctp.c: In function 'print_chunks':
extensions/libipt_sctp.c:465: warning: value computed is not used
extensions/libipt_sctp.c:477: warning: value computed is not used
Resolves bug #457.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
As pointed out by Nicolas Mailhot in bugzilla #483, REDIRECT
does not accept an IP address and when supplied with one,
provides unexpected results. Patch below fixes this.
|
| |
|
|
| |
<hawk@comx.dk>)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This patch adds the shared library module for the CONNSECMARK target
(IPv6).
Signed-off-by: James Morris <jmorris@namei.org>
|
| |
|
|
| |
patches :)
|
| |
|
|
|
|
|
| |
This patch adds the shared library module for the CONNSECMARK target
(IPv4).
Signed-off-by: James Morris <jmorris@namei.org>
|
| |
|
|
|
|
| |
This patch adds the shared library module for the SECMARK target (IPv6).
Signed-off-by: James Morris <jmorris@namei.org>
|
| |
|
|
|
|
| |
This patch adds the shared library module for the SECMARK target (IPv4).
Signed-off-by: James Morris <jmorris@namei.org>
|
| |
|
|
|
|
|
|
|
| |
This patch adds the infrastructure for linking iptables against
libselinux, for use with the SECMARK target. This is enabled
by setting DO_SELINUX=1 in the build environment.
Signed-off-by: James Morris <jmorris@namei.org>
|
| | |
|
| |
|
|
| |
something more useful.
|
| |
|
|
| |
Fixes "Unknown error 4294967295" message (bugzilla #460).
|
| | |
|
| |
|
|
| |
1), the error message "Unknown error 4294967295" is displayed; (Closes: #460)
|
| |
|
|
|
|
| |
option. However, the new array element is not initialized in either
commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] or
inverse_for_options[NUMBER_OF_OPT]. (Closes: #462)
|
| |
|
|
|
|
| |
bit position of the command mask as an index in the array. There's no entry for
CMD_CHECK (0x0800U), so lookups for CMD_RENAME_CHAIN (0x1000U) index outside the
array. (Closes: #463)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The current ip6tables tries to load libip6t_icmp6.so when user types
'ip6tables -p icmpv6 ...' or 'ip6tables ... -m icmpv6' ...', and it fails.
This patch renames libip6t_icmpv6.c to libip6t_icmp6.c so that ip6tables
can load it. Now kernel module and user library has same name 'icmp6'.
It can reduce confusion about name mismatch. That's why I renamed it
instead of reverting change in find_match() which brought this bug.
This patch keeps compatibiity and we can use '-p icmpv6', '-p ipv6-icmpv6',
'-m icmpv6', '-m ipv6-icmpv6', and '-m icmp6', as ever.
|
| |
|
|
| |
The recent kernels don't have ipt_connbytes.c and ip6t_esp.c.
|
| | |
|
| |
|
|
|
|
|
| |
Sometimes I hear that people do 'ip6tables -p ah ...' which never matches
any packet. IPv6 extension headers except of ESP are skipped and invalid
as argument of '-p'. Then I propose that ip6tables exits with error in such
case.
|
| |
|
|
|
|
|
|
|
|
| |
If two or more matches of the same type are detected then the options
are assumed to be grouped in order to tell which option belongs
to which match:
... -m foo ... <options0> ... -m foo ... <options1> ...
Otherwise the commandline parsing is unmodified.
|
| |
|
|
| |
(Closes: #446)
|
| |
|
|
|
|
| |
(Closes: #440). However, while this fixes the double-free, it still doesn't make iptables
support two of the same matches within one rule. Apparently the last matchinfo is copied into all the previous
matchinfo instances.
|
| | |
|
| |
|
|
| |
Rempel) (Closes: #437)
|
| | |
|
| |
|
|
| |
file in a way that breaks userspace :(
|
| | |
|
| |
|
|
| |
(ipset.netfilter.org) these days
|
| | |
|
| |
|
|
| |
ipt_policy and ip6t_policy use the same data structure.
|
| | |
|
| | |
|
