| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
Just a cosmetic fix for `iptables -S` and `iptables-save` printing
two spaces between arguments in the physdev match.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
Text paragraphs should use .PP, since .TP makes it a list item with
indented description.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
iproute2's tc's m_ipt.c poses as a pseudo-iptables program to make
use of the info structure composition of iptables extensions.
Since tc would have to clone a lot of code, xtables.c is put into
its own shared library and should not be relied upon by any other
programs.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As pointed out by Vyacheslav Garashchenko, iptables-save does not
save negated dscp matches properly. Fix below.
This closes bugzilla #533.
Phil
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In bugzilla 550, Xeb notes that the --hashlimit-htable-gcinterval
argument is saved incorrectly. Patch below corrects.
Patch-from: Xeb <xeb@mail.ru>
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reported-by: Erich Schubert <erich@debian.org>
Reference: Debian bug #346034
"I was using the --rttl option in my --set line; this caused all
incoming ssh connections to be rejected; --rttl is only to be used
with --rcheck and --update."
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reference: Debian bug #458042
iptables-restore must not pass a table into do_command. It checks for
"-t arg" and "--table arg", but not "-targ". (On a related note,
using -targ does not work as expected).
This should fail gracefully, but crashes:
iptables-restore <(echo -e '*filter\n-A INPUT -tx\nCOMMIT')
And this should use table "filter", or perhaps raise an error, but
instead sets the table to (literally) "-tfilter":
iptables -tfilter -A INPUT
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
| |
xtables.h does not need really need libxtc.h, and we can drop it from
the install as it is internal-only.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |\ |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The string extension can search patterns case insensitively with
--icase option. A new revision 1 was added, in the meantime invert
of xt_string_info was moved into flags as a flag.
Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Finding jump chains is slow O(Chain*Rules).
The problem:
is that the chain list is searched lineary for each rule with a jump
target. The problem lies in the "second pass" (of function
parse_table) where the userchain jump targets are found. For each
rule "R" with a IPTCC_R_JUMP target, function
iptcc_find_chain_by_offset() searches through the chains "C" in the
chain list (worst-case hitting the last one).
The solution:
in this patch is to speed up iptcc_find_chain_by_offset() by using
binary search. Reducing complexity from O(C) to O(log C).
Implementation:
Its possible to use the same bsearch algorithm and data structure
(chain_index), as used for chain name searching.
How is that possible:
One has to realize that the chains are both sorted by name and
offsets, this is because the chains are already sorted in the ruleset
from the kernel.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Minor bugfix, an extra check is needed if the tail element is a
builtin chain, as builtin chains are not sorted.
Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
- synchronized iptables--ip6tbales manpages
- -S option, list of chain names, protocol names
- markup updates
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
- do not remove autogen.sh
- remove COMMIT_NOTES - it does not apply to git anymore
- create SHA1 sums for tarballs and patches
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| | |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Only when a 'stop' pointer is passed, the string may consist of more
than just a number.
Reported-by: Anonymous
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Remove the check from configure.ac that errors out when ip6.h is not
found. The code does not actually depend on any structures from it.
Reported-by: anonymous
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Michael used GNU bash, version 1.14.7(1), which apparently does not
seem to know about the double ("==") variant of equality tests.
Reported-by: Michael Teicher <mteicher@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| | |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
| |
| |
| |
| |
| | |
Add missing .txt extension.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |/
|
|
|
|
|
|
| |
These files do not contain anything that 3rd party modules could
reasonably use.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The --src-range and --dst-range parameters did not set the IPRANGE_*
flags in struct xt_iprange_mtinfo.
Reported-by: Maxim Britov <maxim.britov@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
Commit bb34082d ("iptables --list chain rulenum") broke the line
numbering, starting with printing an offset of 2.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
When --disable-shared is used, there are no .so files to install, and
the argument order for install would get messed up.
Reported-by: Michael Teicher <mteicher@gmail.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
A number of options support negation, but the manpage did not reflect
this ("[!]" was absent). Also fix a few [] (optional arguments) to {}
(required arguments) in the option-BNF.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
| |
- Using plain integer as NULL pointer
- Undeclared non-static variables
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
| |
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
It could happen that --<arg><value> was printed on iptables-save with
owner rules (owner_mt_save() function) without the obligatory space
inbetween. Also transfer printing of the space character into
owner_mt_print_item().
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
| |
In revision 1 address type checking can be limited to either the
incoming or outgoing interface depending on the current chain. In
the FORWARD chain only one of them is allowed at the same time.
Signed-off-by: Laszlo Attila Toth <panther@balabit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
The _save functions need to use the same syntax that is used for parsing
the input instead of "user readable" output.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
linux/dccp.h is unlikely to be installed before 2.6.18 (which was
when headers_install was introduced), and does not exist at all
before 2.6.14. Add a compile-time check to skip compilation of
libxt_dccp in case this was detected.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
| |
Resync headers and add types.h file for endian annotated types, which
are not available with old headers.
|
| |
|
|
|
|
|
| |
Spotted by Khem Raj <raj.khem@gmail.com>
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Attached is a patch to add the new defines. The macro XTABLES_VERSION
is already in use, so I named it XTABLES_VERSION_CHECK. I've also tested
that an empty XTABLES_VERSION_EXTRA in configure.ac works.
Now we can write code like this:
#warning You are obselete and will be assimilated.
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
| |
|
|
|
|
|
|
|
|
| |
In the manpages, bold is used to denote characters the user has to
enter verbatim, italic denotes placeholders and non-highlighted
pieces are used as a structure: "[]" specifying an optional part,
"{}" a mandatory part, with "|" used for alternations. The "!" for
negation is better supported before the option than after it, too.
The patch makes a few files consistent with this style already used
in manpages.
|
| | |
|
| |
|
|
|
|
| |
Fixes Bugzilla 482.
Signed-off-by: Kristof Provost <kristof@sigsegv.be>
|
| |\ |
|
| | |
| |
| |
| |
| | |
Actually its not a bump but a decrease, the autoconf patches
apparently sneaked it a version bump to 1.4.1 already.
|
| |/
|
|
|
|
|
|
| |
The new iptables git version assumes /bin/sh is always GNU bash,
that's not the case (Ubuntu 8.04 uses dash), see attachment
for a fix.
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
